Question

我的MVC WebApp部署到Azure Paas并使用Azure AD进行保护。身份验证设置使用下面的示例代码作为其基础，它在localhost中使用IISExpress或IIS。

https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect

但是在部署到Azure之后它无法正常工作。即使用户将正确进行身份验证，也永远不会调用AuthorizationCodeReceived委托。

这是设置身份验证的启动代码：

void ConfigureAuth(IAppBuilder app,  Container container) {
        _log.Debug("Configuring Azure Authentication");

        AzureActiveDirectoryAppSetting setting = container.GetInstance<IAzureActiveDirectoryAppSettingFactory>().Get();
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions() {
                ClientId = setting.ClientID,
                Authority = setting.Authority,
                PostLogoutRedirectUri = setting.PostLogoutRedirectUrl,
                RedirectUri = setting.ReplyUrl,
                Notifications = new OpenIdConnectAuthenticationNotifications() {
                    AuthorizationCodeReceived = new Func<Microsoft.Owin.Security.Notifications.AuthorizationCodeReceivedNotification, System.Threading.Tasks.Task>(args => OnAuthorizationCodeReceived(args, container)),
                    AuthenticationFailed = new Func<Microsoft.Owin.Security.Notifications.AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>, System.Threading.Tasks.Task>(OnAuthorizationFailed),
                }
            }
        );
    }

    System.Threading.Tasks.Task OnAuthorizationFailed(Microsoft.Owin.Security.Notifications.AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> args) {
        _log.Error("Authorization Failed");
        return System.Threading.Tasks.Task.FromResult<string>(null);
    }
    System.Threading.Tasks.Task OnAuthorizationCodeReceived(Microsoft.Owin.Security.Notifications.AuthorizationCodeReceivedNotification args, Container container) {
        _log.Debug("Authorization Code Received");
        var auth =  container.GetInstance<IClaimsBasedAuthentication>();
        return auth.ReceiveSecurityClaim(args.Code, args.AuthenticationTicket.Identity, HttpContext.Current);
    }

以下是Azure的跟踪。正如您所看到的，身份验证是成功的，但是＆＃34;授权失败＆＃34;或＆＃34;收到的授权码＆＃34;跟踪无处可寻。第一个错误来自AcquireTokenSilentAsync调用。它失败了，因为令牌首先没有被缓存。

感谢任何帮助。谢谢！

- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Security.AzureADOpenIDAuthentication:AzureADOpenIDAuthentication Created
- 2017-06-10T22:18:59  PID[7692] Information Albatross.Web.App_Start.Startup:Web App Configuration
- 2017-06-10T22:18:59  PID[7692] Information Albatross.Web.App_Start.Startup:All areas registered
- 2017-06-10T22:18:59  PID[7692] Information Albatross.Web.App_Start.Startup:Routes registered
- 2017-06-10T22:18:59  PID[7692] Information Albatross.Web.App_Start.Startup:Bundles registered
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:Configuring Azure Authentication
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:ClientID:xxx
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:Authority:https://login.microsoftonline.com/rushuioutlook.onmicrosoft.com
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:PostLogoutRedirectUrl:https://albatrossweb.azurewebsites.net/.auth/login/aad/callback/
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:ReplyUrl:https://albatrossweb.azurewebsites.net/.auth/login/aad/callback/
- 2017-06-10T22:18:59  PID[7692] Verbose     Albatross.Web.App_Start.Startup:Tenant:rushuioutlook.onmicrosoft.com
- 2017-06-10T22:19:00  PID[7692] Verbose     Received request: GET http://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00  PID[7692] Information Redirecting: https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00  PID[7692] Verbose     Received request: GET https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00  PID[7692] Information Redirecting: https://login.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Falbatrossweb.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=40ca9b08-b857-4307-9ba3-5815031e9ddf&scope=openid+profile+email&response_mode=form_post&nonce=4a0abda18cf6448fb5b8095efb546871_- 20170610222400&state=redir%3D%252F
- 2017-06-10T22:19:29  PID[7692] Verbose     Received request: POST https://albatrossweb.azurewebsites.net/.auth/login/aad/callback
- 2017-06-10T22:19:29  PID[7692] Verbose     JWT validation succeeded. Subject: 'iit96kJ_mJn8Qt0f3kKAZm3qFKMGR2BMjVEnI45JBRc', Issuer: 'https://sts.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/'.
- 2017-06-10T22:19:29  PID[7692] Verbose     Calling into external HTTP endpoint POST https://login.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/oauth2/token.
- 2017-06-10T22:19:29  PID[7692] Information Login completed for 'ethan@rushuioutlook.onmicrosoft.com'. Provider: 'aad'.
- 2017-06-10T22:19:29  PID[7692] Verbose     Writing 'AppServiceAuthSession' cookie for site 'albatrossweb.azurewebsites.net'. Length: 940.
- 2017-06-10T22:19:29  PID[7692] Information Redirecting: https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:31  PID[7692] Verbose     Received request: GET https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:31  PID[7692] Verbose     Found 'AppServiceAuthSession' cookie for site 'albatrossweb.azurewebsites.net'. Length: 940.
- 2017-06-10T22:19:31  PID[7692] Verbose     Authenticated ethan@rushuioutlook.onmicrosoft.com successfully using 'Session Cookie' authentication.
- 2017-06-10T22:19:31  PID[7692] Verbose     [Routes(Preview)] No authorization configuration was found.
- 2017-06-10T22:19:33  PID[7692] Error       Albatross.Web.Controllers.ServiceController:Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException: Failed to acquire token silently as no token was found in the cache. Call method AcquireToken

编辑以澄清已标记的答案：

正如Nan Yu所说，当＆＃34;认证/授权＆＃34;功能已启用。工作设置如下图所示。

确保＆＃34; App Service Authentication＆＃34;是开启
请求未经过身份验证时要执行的操作：允许匿名请求（无操作）这让我陷入了一个月的困境。我有这个＆＃34;使用Azure Active Directory登录＆＃34;
正确配置Azure Active Directory。您可以在教程中找到此信息。

Answer 1

根据回复网址：https://albatrossweb.azurewebsites.net/.auth/login/aad/callback/，您似乎启用了azure应用服务的“身份验证/授权”功能。我可以重现，如果我启用“身份验证/授权”功能，在这种情况下，轻松身份验证将接管身份验证过程。如果您启用了应用服务的“身份验证/授权”，请尝试禁用该功能，然后重试。

未为Azure WebApp调用OpenIdConnectAuthenticationNotifications.AuthorizationCodeReceived事件由Azure Active Directory保护

1 个答案: