您正考虑在 appRoles 条目的正确方法c> backend-api ，然后将角色专门分配给 frontend-app 。

You are on the right path with your thinking about adding appRoles entry to backend-api and then assigning the role specifically to frontend-app.

另外，请理解，强制执行此要求，即仅允许使用具有此新角色声明的应用程序，而其他应用程序则不是您的API代码的责任。

Additionally, understand that enforcing this requirement that only applications coming in with this new role claim are allowed but others aren't is a responsibility of your API code.

接下来我将介绍2种具体方法。这两种方法都在此处的Microsoft文档中进行了说明- Microsoft身份平台和OAuth 2.0客户端凭据流

I'll get to 2 specific approaches next. Both the approaches are explained on Microsoft Docs here - Microsoft identity platform and the OAuth 2.0 client credentials flow

方法1-使用应用程序权限或角色

配置您的API应用程序以公开一组应用程序权限（或角色）。

Configure your API application to expose a set of application permissions (or roles).

这种方法更具声明性，因为您定义了一个应用程序权限，该权限需要分配给可以调用您的 backend-api 的任何应用程序。

This approach is a little more declarative, as you define an application permission that needs to be assigned to any application that can call your backend-api.

导航到Azure Active Directory>应用程序注册> backend-api 应用程序的应用程序注册>清单

Navigate to Azure Active Directory > App Registrations > App registration for your backend-api app > Manifest

添加一个新的应用程序角色..使用json，如下所示：

Add a new application role.. using json like this:

"appRoles": [
{
  "allowedMemberTypes": [
    "Application"
  ],
  "displayName": "Can invoke my API",
  "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
  "isEnabled": true,
  "description": "Apps that have this role have the ability to invoke my backend API",
  "value": "MyAPIValidClient"
}]

将应用程序权限分配给您的前端应用

Assign the app permission to your frontend app

New-AzureADServiceAppRoleAssignment -ObjectId <frontendapp.ObjectId> -PrincipalId <frontendapp.ObjectId> -Id "fc803414-3c61-4ebc-a5e5-cd1675c14bbb" -ResourceId <yourbackendapi.ObjectId>

使用客户端凭据授予（即，使用clientId和client secret）将前端应用程序认证为后端api。

Authenticate your frontend app to backend api using client credentials grant, i.e. using clientId and client secret.. as you're probably already doing.

现在，在后端api收到的身份验证令牌中，您可以检查角色声明集合必须包含名为 MyAPIValidClient的角色

Now, in the auth token received by your backend api, you can check that the role claims collection must contain a role named "MyAPIValidClient" otherwise you can reject the call with Unauthorized exception.

方法2-使用访问控制列表

当后端API收到令牌时，它可以解码令牌并从 appid 和 iss $中提取客户端的应用程序ID。 c $ c>索赔。然后，它将应用程序与其维护的访问控制列表（ACL）进行比较。

When your backend API receives a token, it can decode the token and extract the client's application ID from the appid and iss claims. Then it compares the application against an access control list (ACL) that it maintains.

根据您的要求，API可能只授予部分完全权限或所有权限以授予一个特定的客户。

Depending on your requirement, API might grant only a subset of full permissions or all permissions to a specific client.

在某些情况下，第二种方法似乎更简单，尽管我更喜欢第一种方法，因为当您具有多个应用程序权限/角色和不同级别时，它可以很好地扩展这些角色所提供的功能。

This 2nd approach may seem like a simpler one for some cases, although I like the first one better as it scales well when you have multiple application permissions/roles and different level of functionality to provide based on those roles.

相关的SO帖子和参考

• 相关的SO帖子-是否可以确保仅从特定的Azure逻辑应用程序调用
  的Azure功能？

Microsoft Docs- Microsoft身份平台和OAuth 2.0客户端凭据
流

Microsoft Docs - Microsoft identity platform and the OAuth 2.0 client credentials flow