是否正确使用Owin.Security.ActiveDirectory库与AAD B2C

时间:2017-05-01 08:11:18

标签: azure azure-ad-b2c owin.security

我们在同一个AAD B2C 租户中注册了两个应用程序,通过" New"和#34;老"门户。

使用"旧"进行身份验证应用凭证工作正常。 使用" New"应用程序凭据 - 出现错误:

IDX10500:签名验证失败。无法解析SecurityKeyIdentifier:' SecurityKeyIdentifier     (     IsReadOnly = False,     计数= 1,     子句[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause     ) '

使用在AAD B2C 租户中注册的应用程序使用Microsoft.Owin.Security.ActiveDirector库(以保护ASP.Net Web API)是否正确?

P.S。我的问题基于post

1 个答案:

答案 0 :(得分:0)

您应该只通过new Azure portal (portal.azure.com)中的Azure AD B2C刀片创建应用程序。

请勿使用经典Azure门户(manage.windowsazure.com)为Azure AD B2C创建应用程序。

如果要保护WebApp,则应使用Owin的OpenIdConnectAuthentication 。本文档详细介绍了如何执行此操作:Sign-Up & Sign-In in a ASP.NET Web App

如果您想保护WebAPI,则应使用Owin的OAuthBearerAuthentication 。本文档详细介绍了如何执行此操作:Build a .NET web API

WebApp的示例配置:

public void ConfigureAuth(IAppBuilder app)
{
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Generate the metadata address using the tenant and policy information
            MetadataAddress = String.Format(AadInstance, Tenant, DefaultPolicy),

            // These are standard OpenID Connect parameters, with values pulled from web.config
            ClientId = ClientId,
            RedirectUri = RedirectUri,
            PostLogoutRedirectUri = RedirectUri,

            // Specify the callbacks for each type of notifications
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                AuthenticationFailed = OnAuthenticationFailed,
            },

            // Specify the claims to validate
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            },

            // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
            Scope = $"{OpenIdConnectScopes.OpenId} {YourScope1} {YourScope2}"
        }
    );
}

Web API的示例配置:

    public void ConfigureAuth(IAppBuilder app)
    {
        TokenValidationParameters tvps = new TokenValidationParameters
        {
            // Accept only those tokens where the audience of the token is equal to the client ID of this app
            ValidAudience = ClientId,
            AuthenticationType = Startup.DefaultPolicy
        };

        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
        {
            // This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint
            AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(String.Format(AadInstance, Tenant, DefaultPolicy)))
        });
    }
相关问题
最新问题