如何使用node-adal和OWIN配置Azure AD OAuth2?

时间:2016-10-19 13:13:04

标签: c# azure oauth-2.0 owin adal

如何配置OWIN以使用node-adal验证从Azure AD收集的访问权限请求?

下面的启动课程: 

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
  {
    AuthenticationMode = AuthenticationMode.Active,
    AllowedAudiences = new []
    {
      ConfigurationManager.AppSettings["ida:ClientId"] // AAD clientid from registered application
    },
    IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
    {
      new SymmetricKeyIssuerSecurityTokenProvider(
        ConfigurationManager.AppSettings["ida:Issuer"], // https://sts.windows.net/<tenantid-guid>/ retrieved from AAD federationmetadata.xml
        TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]) // AAD secret from registered application
      )
    }
  });

来自node-adal的令牌响应: implementation described here 

{
  tokenType: "Bearer",
  expiresIn: 3599,
  expiresOn: "2016-10-19T13:49:47.649Z",
  resource: "spn:00000002-0000-0000-c000-000000000000",
  accessToken: "removed for brevity", 
  refreshToken: "removed for brevity",
  userId: "user@domain.com",
  isUserIdDisplayable: true,
  familyName: "familyName",
  givenName: "givenName",
  identityProvider: "live.com",
  oid: "oid-guid",
  tenantId: "tenantid-guid"
}

上述node-adal响应中的accesstoken使用

发送 
Authorization: Bearer accesstoken-here
使用返回

[Authorize]属性

到安全端点 

{"message":"Authorization has been denied for this request."}

编辑以显示新旧方法,旧作品 - 新作品 

  // this is new version (using clientsecret, aka AD web app)
  var issuer = ConfigurationManager.AppSettings["ida:Issuer"];
  var secret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["ida:ClientSecret"]);
  app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
  {
    AuthenticationMode = AuthenticationMode.Active,
    AuthenticationType = OAuthDefaults.AuthenticationType,
    Provider = new OAuthBearerAuthenticationProvider(),
    AccessTokenFormat = new JwtFormat(
      new[] { ConfigurationManager.AppSettings["ida:ClientId"] }, 
      new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }
    )
  });

  // this is old version (not using clientsecret, aka AD native app), this works but all my code is in the Angular Single Page app, I am trying to move the auth code into the node server to secure all access
  app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions
  {
    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
    TokenValidationParameters = new TokenValidationParameters
    {
      ValidAudiences = new[]
      {
        ConfigurationManager.AppSettings["ida:AudienceImplicit"],
        ConfigurationManager.AppSettings["ida:AudienceDaemon"]
      }
    }
  });

1 个答案:

答案 0 :(得分:0)

我们有一个特定的OWIN中间件,用于验证Azure AD中的令牌:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
    {
        Audience = ConfigurationManager.AppSettings["ida:Audience"],
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],

    }
);

查看aka.ms/aaddev上的.NET示例以获得更全面的指导。

相关问题
最新问题