不允许用户在我的Azure AD应用程序多租户中进行身份验证

时间:2016-12-08 15:40:55

标签: azure authentication c#-4.0 azure-active-directory openid-connect

我在Azure AD中配置了两个租户。我的用户在我的租户中成功进行身份验证,但是另一个租户的其他用户可以访问我的应用程序。

我的申请有什么问题?我在我的代码中使用OpenId Connect协议,例如:

app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                {
                    ValidateIssuer = false,
                },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    SecurityTokenValidated = (context) =>
                    {
                        return Task.FromResult(0);
                    },
                    AuthenticationFailed = (context) =>
                    {
                        context.HandleResponse();
                        return Task.FromResult(0);
                    }
                }
            });

我在Azure上设置错误了吗?

有人帮助我吗?

谢谢,

维莱拉

1 个答案:

答案 0 :(得分:0)

  

我在Azure AD中配置了两个租户。

租户对应Azure Active Directory。因此,当有两个租户意味着您有两个不同的Azure Active Directory时。(请参阅here关于详细信息概念)

要启用多租户应用,我们需要从old Azure portal启用它并定位您的应用。然后你可以通过参考下图来设置它: enter image description here

更新(限制sepcifc租户访问多租户应用)

 app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = ClientId,
                    Authority = Authority,
                    TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                    {
                        // instead of using the default validation (validating against a single issuer value, as we do in line of business apps), 
                        // we inject our own multitenant validation logic
                        ValidateIssuer = false,
                    },
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {                    
                        // we use this notification for injecting our custom logic
                        SecurityTokenValidated = (context) =>
                        {
                            // retriever caller data from the incoming principal
                            string issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value;    
                            var issuer1 = "";
                            var issuer2 = "";
                            if ((issuer!=issuer1)&& (issuer != issuer2))
                            // the caller was neither from a trusted issuer - throw to block the authentication flow
                            throw new SecurityTokenValidationException();                            
                        return Task.FromResult(0);
                       }
                   }
              });