我已经实现了AD身份验证,我将客户端ID,redirectUri和Tenant作为“Common”传递。由于我使用Tenant作为live.com的“普通”用户,outlook.com,microsoft.com以及学校和办公室都是允许的。我希望它仅限于Live.com用户。
public class Startup
{
// The Client ID is used by the application to uniquely identify itself to Azure AD.
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
// RedirectUri is the URL where the user will be redirected to after they sign in.
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
// Tenant is the tenant ID (e.g. contoso.onmicrosoft.com, or 'common' for multi-tenant)
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
// Authority is the URL for authority, composed by Azure Active Directory v2 endpoint and the tenant name (e.g. https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0)
string authority = "https://login.microsoftonline.com/common/v2.0" ;
/// <summary>
/// Configure OWIN to use OpenIdConnect
/// </summary>
/// <param name="app"></param>
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from web.config
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
// PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
PostLogoutRedirectUri = "https://localhost:44368/Claims/Register",
Scope = OpenIdConnectScopes.OpenIdProfile,
// ResponseType is set to request the id_token - which contains basic information about the signed-in user
ResponseType = OpenIdConnectResponseTypes.IdToken,
// ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
// To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
// To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters() { ValidateIssuer = false },
// OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = (c) => {
var code = c.Code;
return Task.FromResult(0);
}
}
}
);
}
/// <summary>
/// Handle failed authentication requests by redirecting the user to the home page with an error in the query string
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
context.HandleResponse();
context.Response.Redirect("/?errormessage=" + context.Exception.Message);
return Task.FromResult(0);
}
}
}
答案 0 :(得分:2)
来自Azure AD's v2.0 endpoint docs:
注册后,应用程序通过向v2.0端点发送请求来与Azure AD进行通信:
PAGE B
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token可以采用四种不同值中的一种:
{tenant} - 允许拥有Azure Active Directory的个人Microsoft帐户和工作/学校帐户的用户登录该应用程序。common - 仅允许Azure Active Directory中具有工作/学校帐户的用户登录该应用程序organizations - 仅允许拥有个人Microsoft帐户(MSA)的用户登录该应用程序。 consumers或8eaef023-2b34-4da1-9baa-8bc8c9d6a490 -
仅允许具有特定Azure Active Directory租户的工作/学校帐户的用户登录该应用程序。可以使用Azure AD租户的友好域名或租户的guid标识符。如果您想进一步限制到消费者域(@ live.com vs @ outlook.com),您需要在应用程序级别自己实现,{{1}声明。请注意,通常这种级别的过滤并没有多大意义,因为live.com帐户和outlook.com帐户之间没有功能/实际区别,他们只是拥有不同的虚荣域。 / p>