如何为多租户申请设置承载授权?
是单页申请。在浏览器站点应用上,使用Adal.js对用户进行身份验证。身份验证应用程序向ASP.Net-Core服务器端发送请求并使用Authorization Bearer标头。
ASP.Net-Core使用Microsoft.AspNetCore.Authentication.JwtBearer来检查请求。这是启动:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));
// ... other ...
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseAuthentication();
// ... other ...
}
}
这是AddAzureAdBearer方法:
public static class AzureAdServiceCollectionExtensions
{
public static AuthenticationBuilder AddAzureAdBearer(this AuthenticationBuilder builder)
=> builder.AddAzureAdBearer(_ => { });
public static AuthenticationBuilder AddAzureAdBearer(this AuthenticationBuilder builder, Action<AzureAdOptions> configureOptions)
{
builder.Services.Configure(configureOptions);
builder.Services.AddSingleton<IConfigureOptions<JwtBearerOptions>, ConfigureAzureOptions>();
builder.AddJwtBearer();
return builder;
}
private class ConfigureAzureOptions : IConfigureNamedOptions<JwtBearerOptions>
{
private readonly AzureAdOptions AzureOptions;
public ConfigureAzureOptions(IOptions<AzureAdOptions> azureOptions)
{
AzureOptions = azureOptions.Value;
}
public void Configure(string name, JwtBearerOptions options)
{
options.Audience = AzureOptions.ClientId;
// this works (specific TenantId)
// options.Authority
// = "https://login.microsoftonline.com/f8811864-6950-4347-af1c-9d22bb3d0615"
// this did not work (common instead of specific TenantId)
// options.Authority
// = "https://login.microsoftonline.com/common";
options.Authority = $"{AzureOptions.Instance}{AzureOptions.TenantId}";
}
public void Configure(JwtBearerOptions options)
{
Configure(Options.DefaultName, options);
}
}
}
对于单租户,这按预期工作,可以使用[授权]属性
标记控制器[Route("api/[controller]")]
[Authorize]
public class CalendarController : Controller
{
对于多租户,我将Adal.js设置为公共端点,并且它正在工作(用户可以成功登录)。但ASP.Net-Core服务器无法检查Bearer标头,如单租户
JwtBearerOptions.Authority =&#34; https://login.microsoftonline.com/f8811864-6950-4347-af1c-9d22bb3d0615&#34;
对于多租户我尝试发送
JwtBearerOptions.Authority =&#34; https://login.microsoftonline.com/common&#34;
ASP.Net-Core服务器返回未经授权的响应。
更新
帖子The Common Endpoint: Walks Like a Tenant, Talks Like a Tenant… But Is Not a Tenant描述了共同权威问题的原因。
简而言之:令牌(作为授权承载头发送,必须在服务器端验证)包含&#34;发行者&#34;像这样的字符串:https://sts.windows.net/<TENAT_ID>。 <TENAT_ID> - 将是真实的<TENAT_ID>而不是&#34;普通&#34;字符串。
因此,当授权承载头被验证时,&#34;发行者&#34;字符串与配置的选项进行比较。权限设置。
要解决此问题,可以禁用颁发者验证。并自己动手:
public void Configure(string name, JwtBearerOptions options)
{
options.Audience = AzureOptions.ClientId;
options.TokenValidationParameters = new TokenValidationParameters{
ValidateIssuer = false
};
options.Events = new JwtBearerEvents()
{
OnTokenValidated = (context) =>
{
if(!context.SecurityToken.Issuer.StartsWith("https://sts.windows.net/"))
throw new SecurityTokenValidationException();
return Task.FromResult(0);
}
};
options.Authority = $"{AzureOptions.Instance}{AzureOptions.TenantId}";
}
我不确定检查发行人是否正确。请让我知道它是否正确。
答案 0 :(得分:0)
本文在此显示了如何进行自定义发行者验证。 https://thomaslevesque.com/2018/12/24/multitenant-azure-ad-issuer-validation-in-asp-net-core/
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/common";
options.Audience = configuration["AzureAdSettings:ClientId"];
options.RequireHttpsMetadata = true; // or false if you dont have https
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerValidator = (issuer, token, parameters) => issuer
//allows any issuer or use `ValidateIssuerWithPlaceholder`
};
});
帖子使用此方法来验证令牌
private static string ValidateIssuerWithPlaceholder(string issuer, SecurityToken token, TokenValidationParameters parameters)
{
// Accepts any issuer of the form "https://login.microsoftonline.com/{tenantid}/v2.0",
// where tenantid is the tid from the token.
if (token is JwtSecurityToken jwt)
{
if (jwt.Payload.TryGetValue("tid", out var value) &&
value is string tokenTenantId)
{
var validIssuers = (parameters.ValidIssuers ?? Enumerable.Empty<string>())
.Append(parameters.ValidIssuer)
.Where(i => !string.IsNullOrEmpty(i));
if (validIssuers.Any(i => i.Replace("{tenantid}", tokenTenantId) == issuer))
return issuer;
}
}
// Recreate the exception that is thrown by default
// when issuer validation fails
var validIssuer = parameters.ValidIssuer ?? "null";
var validIssuers = parameters.ValidIssuers == null
? "null"
: !parameters.ValidIssuers.Any()
? "empty"
: string.Join(", ", parameters.ValidIssuers);
string errorMessage = FormattableString.Invariant(
$"IDX10205: Issuer validation failed. Issuer: '{issuer}'. Did not match: validationParameters.ValidIssuer: '{validIssuer}' or validationParameters.ValidIssuers: '{validIssuers}'.");
throw new SecurityTokenInvalidIssuerException(errorMessage)
{
InvalidIssuer = issuer
};
}
当您为中间件指定 Authority 时,它将自动尝试查找公用密钥以验证令牌,如此处https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2/issues/7
所述