Azure AD - HTTP / 1.1 401未经授权 - Windows服务

时间:2016-05-24 04:15:20

标签: c# azure azure-web-sites jwt azure-active-directory

Azure Auth存在问题。调用在Azure中托管的WebAPI时未授权401。

以下是基础知识: 遵循本教程 - https://github.com/showcases/package-managers

已注册2个申请:

  1. Windows服务
  2. 的WebAPI
  3. Windows服务调用STS并成功获取JWT。然后它尝试将该令牌传递给azurewebsites.net上托管的WebAPI。

    这是我调用STS的代码(刚刚包含在Auth类中):

    public class AzureAuth
    {
    
        private AuthenticationContext authContext;
        private ClientCredential clientCredential;
    
        protected string AzureADInstanceName;
        protected string AzureADTenancyName;
    
        protected string AzureADApplicationClientId;
        protected string AzureADApplicationSecret;
        protected string AzureADApplicationAppId;
    
    
        public AzureAuth(string azureADInstanceName, string azureADTenancyName, string azureADApplicationClientId, string azureADApplicationSecret, string azureADApplicationAppId)
        {
            this.AzureADInstanceName = azureADInstanceName;
            this.AzureADTenancyName = azureADTenancyName;
            this.AzureADApplicationClientId = azureADApplicationClientId;
            this.AzureADApplicationSecret = azureADApplicationSecret;
            this.AzureADApplicationAppId = azureADApplicationAppId;
    
            string authority = string.Format(CultureInfo.InvariantCulture, AzureADInstanceName, AzureADTenancyName);
            this.authContext = new AuthenticationContext(authority);
            this.clientCredential = new ClientCredential(AzureADApplicationClientId, AzureADApplicationSecret);
        }
    
        public async Task ExecuteGetWithAADAutToken<T>(Action<AuthenticationResult> AfterAuthAction)
        {
            AuthenticationResult result = null;
            try
            {
                result = await authContext.AcquireTokenAsync(this.AzureADApplicationAppId, this.clientCredential);
                AfterAuthAction(result);
            }
            catch (Exception ex)
            {
                throw;
            }
        }
    }
    

    然后我使用Auth类和AuthResult来调用WebApi:

    using (var client = new HttpClient())
    {
        client.BaseAddress = new Uri(getEndPointUri);
        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", res.AccessToken);
    
        HttpResponseMessage response = await client.GetAsync("/api/field");
    
        if (response.IsSuccessStatusCode)
        {
            var resultStringJSON = await response.Content.ReadAsStringAsync();
            Console.WriteLine(resultStringJSON);
        }
        else
        {
            var resulterrorStringJSON = await response.Content.ReadAsStringAsync();
            Console.WriteLine(resulterrorStringJSON);
        }
    }
    

    HttpResponseMessage响应正在提供未经授权的

    我用fiddler来获取请求和响应:

    GET https://xxxxxxxx.azurewebsites.net/api/someapi HTTP/1.1
    Accept: application/json
    Authorization: Bearer XXXXXXXXX
    Host: xxxxxx.azurewebsites.net
    
    
    HTTP/1.1 401 Unauthorized
    Content-Length: 0
    Server: Microsoft-IIS/8.0
    WWW-Authenticate: Bearer realm="xxxxxxx.azurewebsites.net"
    X-Powered-By: ASP.NET
    Set-Cookie: ARRAffinity=697493f3974009aeb448f562d1b389f79aa6008071be1244c77f3f1d3849f5f0;Path=/;Domain=xxxxxxxx.azurewebsites.net
    Date: Tue, 24 May 2016 03:59:15 GMT
    

    请帮忙吗?

    我怀疑的主要问题是在Azure中,AAD应用程序无法访问Web API应用程序。我试图通过用户添加它,但当我以用户搜索该应用程序时,它无法找到它。已注册的应用程序位于不同的Azure AD目录中。

1 个答案:

答案 0 :(得分:2)

您是否偶然在门户网站中启用了身份验证/授权?当他们在同一个Web应用程序中同时使用集成的身份验证/授权和OWIN Azure AD身份验证中间件时,有些人遇到了类似的问题。设置应用程序的正确方法是使用其中一种,因为它们目前不能很好地协同工作。