如何使用Azure Active Directory设置Ocelot Api Gateway

时间:2019-05-06 11:57:47

标签: azure asp.net-core azure-active-directory asp.net-core-webapi ocelot

我遵循了this教程,并设法将api与Azure Active Directory结合使用 身份验证和授权。

但是,我想从Ocelot Api Gateway后面使用API​​。 我可以将ocelot与自定义基本授权一起使用,但不能与Azure Active Directory一起使用。

我已经将Ocelot api网关URL添加到了我的api重定向URL列表中。

如何在config.json和Ocelot Api Gateway项目StartUp.cs中设置ReRoutes值?

任何帮助将不胜感激。

2 个答案:

答案 0 :(得分:0)

最终我可以。 首先要感谢ocelot库,因为它支持Azure Active Directory授权。

我假设您已经完成this教程。

1-照常创建ocelot api网关项目。

2-将Microsoft.Identity.Web类库添加到ocelot项目中作为参考

3-添加ocelot.json,它应该如下所示

    {
  "ReRoutes": [

    {
      "DownstreamPathTemplate": "/api/{catchAll}",
      "DownstreamScheme": "http",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": 44351
        }
      ],
      "UpstreamPathTemplate": "/to-do-service/api/{catchAll}",

      "AuthenticationOptions": {
        "AuthenticationProviderKey": "AzureADJwtBearer",
        "AllowedScopes": []
      }
    }

  ],
  "GlobalConfiguration": {
    "BaseUrl": "http://localhost:7070",
    "RequestIdKey": "OcRequestId",
    "AdministrationPath": "/administration"
  }
}

在Program.cs中4-编辑CreateWebHostBuilder方法,以便将ocelot.json用作其他配置源。

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
            WebHost.CreateDefaultBuilder(args)
             .ConfigureAppConfiguration((hostingContext, config) =>
             {
                 config.AddJsonFile("ocelot.json", false, false);
             })
                .UseStartup<Startup>();

在Startup.cs中5-如下编辑ConfigureServices和Configure方法

public void ConfigureServices(IServiceCollection services)
        {
            services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration); //this extension comes from Microsoft.Identity.Web class library

            services.AddOcelot(Configuration);
            //services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public async void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            await app.UseOcelot();
        }

6-最后但并非最不重要的一点是,您应该将AzureAd配置添加到ocelot api网关项目中。 (参考教程应与ToDoListService相同) 她,您可以看到一个示例appsettings.json。

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "client-id-guid-from-azure-ad",

    /*
      You need specify the TenantId only if you want to accept access tokens from a single tenant (line of business app)
      Otherwise you can leave them set to common
    */
    "Domain": "blablabla.onmicrosoft.com", // for instance contoso.onmicrosoft.com. Not used in the ASP.NET core template
    "TenantId": "tenant-id-guid-from-azure-ad" // A guid (Tenant ID = Directory ID) or 'common' or 'organizations' or 'consumers'
  },
  "Logging": {
    "LogLevel": {
      "Default": "Warning"
    }
  },
  "AllowedHosts": "*"

}

我希望这个答案可以节省别人的时间并让他们的生活更快乐:)

编码愉快!

答案 1 :(得分:0)

我无法使用“ Microsoft.Identity.Web”库进行此操作。我收到了很多错误,例如:

AuthenticationScheme:AzureADCookie未通过身份验证...

-和-

签名验证失败...

相反,我设法获得了Azure B2C令牌验证以及范围,其工作方式如下:

1)ConfigureServices方法(Startup.cs):

    services.AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; 
             })
           .AddJwtBearer(jwtOptions =>
           {
               jwtOptions.Authority = $"{Configuration["AzureAdB2C:Instance"]}/tfp/{Configuration["AzureAdB2C:TenantId"]}/{Configuration["AzureAdB2C:SignUpSignInPolicyId"]}";
               jwtOptions.Audience = Configuration["AzureAdB2C:ClientId"];
               jwtOptions.TokenValidationParameters.ValidateIssuer = true; 
               jwtOptions.TokenValidationParameters.ValidIssuer = $"{Configuration["AzureAdB2C:Instance"]}/{Configuration["AzureAdB2C:TenantId"]}/v2.0/"; 
           }); 

            // Map scp to scope claims instead of http://schemas.microsoft.com/identity/claims/scope to allow ocelot to read/verify them
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("scp");
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("scp", "scope");


2) Ocelot re-routing configuration:

     {
      "DownstreamPathTemplate": "/{everything}",
      "DownstreamScheme": "http",
      "DownstreamHostAndPorts": [
        {
          "Host": "master-api",
          "Port": 5000
        }
      ],
      "UpstreamPathTemplate": "/master-api/{everything}",
      "UpstreamHttpMethod": [ "POST", "PUT", "GET", "DELETE" ],
      "ReRoutesCaseSensitive": false,
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "Bearer",
        "AllowedScopes": [ "master" ]
      }
    }

3)Azure AD B2C配置(appsettings.json):

  "AzureAdB2C": {
    "Instance": "https://yourdomain.b2clogin.com",
    "TenantId": "{tenantId}",
    "SignUpSignInPolicyId": "your_signin_policy",
    "ClientId": "{clientId}"
  }

希望这会有所帮助! :)

相关问题
最新问题