关于使用ASPNet Core 2.1 Web API配置AAD集成

Question

我已经有一个使用ASP.Net Core 2.1的AAD集成WebAPP，但是现在我想使用ASPNet Core 2.1开发一个API，以使用JWT承载令牌向我的api验证AAD用户。我无法执行相同的操作，因为在Web应用程序中，我正在使用Cookie身份验证模式，但是在这里，我需要实现JWT Bearer，这对我不起作用。我尝试了来自不同代码仓库的很多代码。

参考： https://github.com/juunas11/Joonasw.AzureAdApiSample

https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapi

https://azure.microsoft.com/en-in/resources/samples/active-directory-dotnet-native-aspnetcore-v2/

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Audience = "https://localhost:44395/";
options.Authority = "https://localhost:44395/identity/";
})
.AddJwtBearer("AzureAD", options =>
{
options.Audience = "https://localhost:44395/";
options.Authority = "https://login.microsoftonline.com/tenantID/";
});

        services.AddAuthorization(options =>
        {
            var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
                JwtBearerDefaults.AuthenticationScheme,
                "AzureAD");
            defaultAuthorizationPolicyBuilder =
                defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
            options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
        });

当我将模式更改为Cookie模式时，它可以正常工作，但不能在JWTBearer代码中工作。

Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed.
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes (Bearer, AzureAD).
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AuthenticationScheme: Bearer was challenged.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AuthenticationScheme: AzureAD was challenged.

有人可以在这里帮助我吗？由于这个问题，我被困在这里。

预先感谢

Answer 1

假定您具有用Azure AD保护的用ASP.NET Core Web API编写的REST API资源，客户端（ASP.NET Web应用程序）可以使用OpenID Connect中间件和Active Directory身份验证库（ADAL.NET）来使用OAuth 2.0协议获取已登录用户的JWT承载令牌。

承载令牌传递到Web API，Web API使用JWT承载认证中间件来验证令牌并授权用户，例如，请参考第一个链接中的代码示例：

        services
        .AddAuthentication(o =>
        {
            o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(o =>
        {
            o.Authority = Configuration["Authentication:Authority"];
            o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
            {
                // Both App ID URI and client id are valid audiences in the access token
                ValidAudiences = new List<string>
                {
                    Configuration["Authentication:AppIdUri"],
                    Configuration["Authentication:ClientId"]
                }
            };
        });

以上代码示例使用JwtBearerExtensions验证访问令牌。您可以单击here了解有关方案的说明。