我正在尝试实现多租户身份验证(据我所学习),到目前为止,我已经成功地在单租户中实现了我的应用程序的身份验证。
我用于单租户的代码是
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = ConfigurationManager.AppSettings["AuthclientId"],
Authority = "https://login.microsoftonline.com/abc.onmicrosoft.com/",
});
}
这里;首先,我在ABC AAD中注册我的应用程序,并获取客户端ID,然后将其放入我的配置中。一切正常。
但是现在我必须使用多租户类型来实现它。即使是多租户,我也只允许2个租户用户。假设abc.onmicrosoft.com和contoso.onmicrosoft.com
到目前为止,我已经完成了像在ABC租户和Contoso租户中注册我的应用程序的操作,然后获得2个客户端ID。但是我的问题是无法在UseOpenIdConnectAuthentication中提供2个客户ID(请参见下面的更新代码)
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = ??,
Authority = "https://login.microsoftonline.com/common/",
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false
},
});
}
P.S这对我来说是新的。我可能是错的,请纠正我,以使事情走正确的路
更新1:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
//ClientId = authClientID1,//App ID registered with 1st Tenant
Authority = "https://login.microsoftonline.com/common/",
RedirectUri= "https://localhost:44376/",
TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new List<string>{ authClientID1, authClientID2 },
ValidateIssuer =true,
ValidIssuers= new[] { "https://sts.windows.net/<tenantID1>/", "https://sts.windows.net/<tenantID2>/" }
},
});
在评论ClientID之后,我收到了类似的错误 AADSTS900144:请求正文必须包含以下参数: 'client_id'
我不确定如何提供我的两个ClientID和租户ID,以便仅从两个租户中对用户进行身份验证!
答案 0 :(得分:1)
您的客户端ID应该是您的应用客户端ID。您无需在其他租户中创建另一个应用程序。将权限设置为通用即可。如果要允许任何租户,可以禁用颁发者验证。
然后,当另一个租户中的某人登录到您的应用程序时,将要求他们同意您所需的权限。完成后,将自动在其租户中创建代表您的应用程序的服务主体。它具有相同的客户端ID。
答案 1 :(得分:0)
要交付多租户应用程序,您只能在AAD中创建一个应用程序。因此,您也只有一个client_id 。确保您的应用已启用“多端”。
您在这里找到很多信息:https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
也有完整的示例:https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect
public void ConfigureAuth(IAppBuilder app)
{
string ClientId = ConfigurationManager.AppSettings["ida:ClientID"];
//fixed address for multitenant apps in the public cloud
string Authority = "https://login.microsoftonline.com/common/";
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions { });
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = ClientId,
Authority = Authority,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
// instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
// we inject our own multitenant validation logic
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = (context) =>
{
// This ensures that the address used for sign in and sign out is picked up dynamically from the request
// this allows you to deploy your app (to Azure Web Sites, for example)without having to change settings
// Remember that the base URL of the address used here must be provisioned in Azure AD beforehand.
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = appBaseUrl;
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
return Task.FromResult(0);
},
// we use this notification for injecting our custom logic
SecurityTokenValidated = (context) =>
{
// retriever caller data from the incoming principal
string issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value;
string UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
if (
// the caller comes from an admin-consented, recorded issuer
(db.Tenants.FirstOrDefault(a => ((a.IssValue == issuer) && (a.AdminConsented))) == null)
// the caller is recorded in the db of users who went through the individual onboardoing
&& (db.Users.FirstOrDefault(b =>((b.UPN == UPN) && (b.TenantID == tenantID))) == null)
)
// the caller was neither from a trusted issuer or a registered user - throw to block the authentication flow
throw new SecurityTokenValidationException();
return Task.FromResult(0);
},
AuthenticationFailed = (context) =>
{
context.OwinContext.Response.Redirect("/Home/Error?message=" + context.Exception.Message);
context.HandleResponse(); // Suppress the exception
return Task.FromResult(0);
}
}
});
}