.NET STANDARD 4.7.2 Azure承载令牌授权

时间:2020-01-10 14:45:09

标签: .net azure asp.net-mvc-5 azure-active-directory owin

我有一个.NET MVC5 / API应用程序,该应用程序通过Azure通过OWIN对用户进行身份验证。本身就很棒。用户使用其Azure AD帐户登录没有问题。我还需要授权从同一AD Azure域进行身份验证的用户,才能从其他应用程序访问此API。 IE客户端应用程序(已具有Azure授权用户)->此服务器应用程序。我的开发客户端是一个使用MSAL模块的Angular应用程序,它确实在其请求中将天蓝色的承载令牌传递给了我的.NET API应用程序(在Fiddler中可见)。但是,响应始终是重定向到microsoft.login,客户端将其显示为CORS错误。如何配置.NET STANDARD应用程序以通过Azure在本地授权用户以及接受已授权的Azure承载令牌?另外,已经在Azure中设置了客户端和服务器应用程序权限(正确吗?不是100%)。

我的Startup.Auth:

    public partial class Startup
{

    private static string redirectUrl = "Https://" + Settings.RootURL;
    private static string clientId = Settings.GraphClientID;
    private static string aadInstance = "https://login.microsoftonline.com/";
    private static string tenantId = Settings.GraphTenantID;
    private static string authority = aadInstance + tenantId;

    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);            
        app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieName = "CIM-Cookie", SlidingExpiration=true });
        app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Sets the ClientId, authority, RedirectUri as obtained from Settings.json
            ClientId = clientId,
            Authority = authority,
            RedirectUri = redirectUrl,
            UseTokenLifetime = false, //set to false to manage session with the cookie middleware
            PostLogoutRedirectUri = redirectUrl,
            Scope = OpenIdConnectScope.OpenIdProfile,

            // ResponseType is set to request the id_token - which contains basic information about the signed-in user
            ResponseType = OpenIdConnectResponseType.IdToken,
            //SignInAsAuthenticationType="Cookies",

            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = false,
                RoleClaimType = "groups",
                NameClaimType = "name",
            },

            // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = OnAuthenticationFailed,
                SecurityTokenValidated = (context) =>
                {
                    var identity = context.AuthenticationTicket.Identity;
                    var emailClaim = identity.Claims.Where(r => r.Type == ClaimTypes.Name).FirstOrDefault();
                    identity.AddClaim(emailClaim);
                    return Task.FromResult(0);
                }
            }
        });
    }
    private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
    {
        context.HandleResponse();
        context.Response.Redirect("/?errormessage=" + context.Exception.Message);
        return Task.FromResult(0);
    }
}

2 个答案:

答案 0 :(得分:0)

确保已从服务器应用程序公开了api并添加了客户端应用程序。

enter image description here

从客户端应用程序获取访问令牌时,请使用{{1}}作为范围。

参考:

Configure app to expose web APIs

Acquire token for an API

答案 1 :(得分:0)

哦,天哪。几个小时后,我找到了解决方案。我将此添加到了startup.auth:

            app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience = "https://xxxx.onmicrosoft.com/xxxx",
                Tenant = tenantId
            });

我希望有一天能对其他人有所帮助。

相关问题
最新问题