我在构建Angular4 / Angular2应用和Azure AD身份验证时遇到问题。
首先,我使用ADAL-Angular4(https://www.npmjs.com/package/adal-angular4),角度服务器在本地运行。 在Azure上,我有一个我想要保护的带有API的Web应用程序。 所以我创建了一个Active Directory App,并将其与Web App(https://img15.hostingpics.net/pics/381684Capturedcran20170719094203.png)。
相关联第一个Auth效果很好(访问网络应用程序)。 但是当谈到调用API(仅限于Authenticated Users)时,我每次都得到以下响应
401 error : Unauthorized
似乎我无法访问资源,因为我没有授予访问权限。但我的帐户是所有应用程序的管理员,我在Azure上无处不在。
我当时认为ADAL没有捕获所有请求,但即使我放了
let head = new Headers({Authorization: 'Bearer '+this.service.userInfo.token})
head.append( 'Host' , 'xxx.azurewebsites.net' )
return this._http.get('https://xxx.azurewebsites.net/api/getColumnsName/'{headers: head})
在我的请求服务上,它不起作用,我得到同样的错误......
这是我的app.component上放置的Adal配置
const config = {
tenant: 'XXXXXX.onmicrosoft.com',
clientId: 'XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX' //authApp ID
}
@Component({
moduleId: module.id,
selector: 'app',
templateUrl: 'app.component.html'
})
export class AppComponent {
constructor(private service: Adal4Service) { // <-- ADD
this.service.init(config); // <-- ADD
}
}
当我进行身份验证时,我会获取这些参数(其中一些已被隐藏,并且出于安全考虑而已删除令牌)
[Log] username toto@hotmail.fr (main.bundle.js, line 2436)
[Log] authenticated: true (main.bundle.js, line 2437)
[Log] name: toto (main.bundle.js, line 2438)
[Log] token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Il
服务器发送的响应就是这个(来自azure日志):
</head>
<body>
<div id="content">
<div class="content-container">
<h3>HTTP Error 401.0 - Unauthorized</h3>
<h4>You do not have permission to view this directory or page.</h4>
</div>
<div class="content-container">
<fieldset><h4>Most likely causes:</h4>
<ul> <li>The authenticated user does not have access to a resource needed to process the request.</li> </ul>
</fieldset>
</div>
<div class="content-container">
<fieldset><h4>Things you can try:</h4>
<ul> <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul>
</fieldset>
</div>
<div class="content-container">
<fieldset><h4>Detailed Error Information:</h4>
<div id="details-left">
<table border="0" cellpadding="0" cellspacing="0">
<tr class="alt"><th>Module</th><td> iisnode</td></tr>
<tr><th>Notification</th><td> ExecuteRequestHandler</td></tr>
<tr class="alt"><th>Handler</th><td> iisnode</td></tr>
<tr><th>Error Code</th><td> 0x00000000</td></tr>
</table>
</div>
<div id="details-right">
<table border="0" cellpadding="0" cellspacing="0">
<tr class="alt"><th>Requested URL</th><td> https://XXXXX:80/app.js</td></tr>
<tr><th>Physical Path</th><td> D:\home\site\wwwroot\app.js</td></tr>
<tr class="alt"><th>Logon Method</th><td> aad</td></tr>
<tr><th>Logon User</th><td> toto@hotmail.fr</td></tr>
</table>
<div class="clear"></div>
</div>
</fieldset>
</div>
<div class="content-container">
<fieldset><h4>More Information:</h4>
This is the generic Access Denied error returned by IIS. Typically, there is a substatus code associated with this error that describes why the server denied the request. Check the IIS Log file to determine whether a substatus code is associated with this failure.
<p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&IIS70Error=401,0,0x00000000,9200">View more information »</a></p>
<p>Microsoft Knowledge Base Articles:</p>
</fieldset>
</div>
</div>
</body>
</html>
我使用azure“easy API”并将get / post / request权限设置为“Authenticated Users Only”
答案 0 :(得分:0)
您似乎已经通过IIS或其他类型的机制(不确定哪种机制)在Web API上配置了身份验证。但一般来说,如果要验证Azure AD&amp;通过ADAL库获取,您可以使用ASP.NET应用程序中的WindowsAzureActiveDirectoryBearerAuthenticationMiddleware来处理令牌和验证来电。 Here's a basic sample显示了如何使用此中间件。或者,您也可以使用System.IdentityModel.Tokens.Jwt库来验证Azure AD中的令牌,就像在this code sample中一样。