如何通过.net上的多因素身份验证使OAuth2适用于Azure Active Directory?

时间:2018-08-10 11:12:48

标签: .net oauth oauth-2.0 azure-active-directory

我们在Azure Active Directory上使用OAuth 2.0 auth code grant对Web应用程序中的用户进行身份验证。

这没有问题,但现在AD维护人员希望部署多因素身份验证。我们当前的OAuth实现与此不一致。

这是我们的代码:

public static ActionResult LogOn()
{
    string authorizationUrl = string.Format(
        "https://login.windows.net/{0}/oauth2/authorize?api-version=1.0&response_type=code&response_mode=query&client_id={1}&scope={2}&redirect_uri={3}",
        HttpUtility.UrlEncode(azureActiveDirectoryTenant),
        HttpUtility.UrlEncode(azureActiveDirectoryClientId),
        HttpUtility.UrlEncode("https://graph.microsoft.com/v1.0/me/"),
        HttpUtility.UrlEncode(azureActiveDirectoryCodeRedirectURL) // refers to Code() below
    );

    return new RedirectResult(authorizationUrl, false);
}

public async Task<ActionResult> Code(string code = null, string state = "", string error = null, string error_description = null)
{
    if (String.IsNullOrEmpty(error))
    {
        if (String.IsNullOrWhiteSpace(code))
        {
            return LogOn();
        }
        AuthenticationContext ctx = new AuthenticationContext("https://login.microsoftonline.com/" + azureActiveDirectoryTenant);
        ClientCredential clcred = new ClientCredential(azureActiveDirectoryClientId, azureActiveDirectoryClientKey);
        try
        {
            var ar = await ctx.AcquireTokenByAuthorizationCodeAsync(code, new Uri(azureActiveDirectoryCodeRedirectURL), clcred, "https://graph.windows.net");
            string email = ar.UserInfo.DisplayableId;

            using (WebClient client = new WebClient())
            {
                client.Headers.Add("Authorization", "Bearer " + ar.AccessToken);

                Stream data = client.OpenRead(new Uri("https://graph.windows.net/me?api-version=1.6"));
                StreamReader reader = new StreamReader(data);
                Dictionary<string, dynamic> values = JsonConvert.DeserializeObject<Dictionary<string, dynamic>>(reader.ReadToEnd());
                data.Close();
                reader.Close();

                ... act on values and redirect...
            }
        }
        catch (AdalServiceException ex)
        {
            // We come here!
            ViewBag.ErrorMessage = String.Format("Exception: ErrorCode: {0}, StatusCode: {1}, Message: {2}.", ex.ErrorCode, ex.StatusCode, ex.Message);
            ...
        }
    }
    return View("OAuthError");
}

错误消息:

ErrorCode: interaction_required, StatusCode: 400, Message: AADSTS50076: Due
to a configuration change made by your administrator, or because you moved to a
new location, you must use multi-factor authentication to access '00000002-0000-
c000-0000000000000'.

This document正在讨论对AAD的有条件访问,并提到了“声明”作为解决方案。

一个人如何将权利要求与上述代码结合起来才能发挥作用?

1 个答案:

答案 0 :(得分:1)

每个MSDN:https://msdn.microsoft.com/en-us/library/mt784627.aspx

您可以将amr_values=ngcmfa添加到授权URL中以强制执行MFA。

您也可以添加amr_values=mfa,以要求用户已通过MFA,尽管这可能是前一阵子。

然后,您还应该检查amr声明中的令牌是否确实包含“ mfa”。 (因为用户只需删除参数即可)

相关问题
最新问题