Question

我在我的应用中使用OpenID Connect身份验证。我已在Microsoft App Registration Portal中注册了我的应用程序，并从那里收到了客户端ID和密码。

private static string appId = ConfigurationManager.AppSettings["ida:AppId"];
private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static string graphScopes = ConfigurationManager.AppSettings["ida:GraphScopes"];

public void ConfigureAuth(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = appId,
            Authority = "https://login.microsoftonline.com/common/v2.0",
            PostLogoutRedirectUri = redirectUri,
            RedirectUri = redirectUri,
            Scope = "openid email profile offline_access " + graphScopes,
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false,
                    // In a real application you would use IssuerValidator for additional checks, 
                    // like making sure the user's organization has signed up for your app.
                    //     IssuerValidator = (issuer, token, tvp) =>
                    //     {
                    //         if (MyCustomTenantValidation(issuer)) 
                    //             return issuer;
                    //         else
                    //             throw new SecurityTokenInvalidIssuerException("Invalid issuer");
                    //     },
            },
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthorizationCodeReceived = async(context) =>
                    {
                        var code = context.Code;
                        string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;

                        TokenCache userTokenCache = new SessionTokenCache(signedInUserID,
                            context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
                        ConfidentialClientApplication cca = new ConfidentialClientApplication(
                            appId,

                            redirectUri,
                            new ClientCredential(appSecret),
                            userTokenCache,
                            null);
                        string[] scopes = graphScopes.Split(new char[] { ' ' });

                        AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
                    },
                    AuthenticationFailed = (context) =>
                    {
                        context.HandleResponse();
                        context.Response.Redirect("/Error?message=" + context.Exception.Message);
                        return Task.FromResult(0);
                    }
            }
        });
}

此代码启用了SSO，但是从我使用common权限的任何Microsoft帐户启用。但我希望来自特定目录或域的用户登录我的应用程序。

我试过这个

Authority = "https://login.microsoftonline.com/{tenant_id}",

而不是

Authority = "https://login.microsoftonline.com/common/v2.0",

但它不起作用，并且浏览器中不显示Microsoft登录页面。

Answer 1

你很近，但最后你错过了/v2.0。

对于多租户应用（AAD和MSA帐户），您可以使用：

https://login.microsoftonline.com/common/v2.0

对于单租户应用程序（仅限AAD），您需要使用：

https://login.microsoftonline.com/{tenant_id}/v2.0

/v2.0表示您的应用使用Azure AD＆＃34; v2.0应用程序模型＆＃34; （aka＆＃34; v2 Endpoint＆＃34;）。

为特定域用户启用SSO

1 个答案: