如何将AzureAD和AzureADBearer添加到ASP.NET Core 2.2 Web API

时间:2019-04-16 00:28:42

标签: c# authentication asp.net-core azure-active-directory asp.net-core-webapi

我正在尝试创建一个网站,该网站使用AzureAD对用户进行身份验证以访问UI来创作数据库中的项目。而且我还希望其他服务可以通过承载令牌来调用此API。

services.AddAuthentication(o => {
                    o.DefaultScheme = AzureADDefaults.BearerAuthenticationScheme;
                    o.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
                })
                .AddAzureAD(options => Configuration.Bind("AzureAd", options))
                .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

我希望使用AzureAd方案对用户进行身份验证,但对同一Web api(在dif路由下)的服务由承载者进行身份验证。或同时拥有所有路线。都可以

3 个答案:

答案 0 :(得分:1)

通过创建一个策略方案来解决此问题,该方案根据存在的auth标头在两个模式之间切换:

// add azure ad user and service authentication
            services
                .AddAuthentication("Azures")
                .AddPolicyScheme("Azures", "Authorize AzureAd or AzureAdBearer", options =>
                {
                    options.ForwardDefaultSelector = context =>
                    {
                        var authHeader = context.Request.Headers["Authorization"].FirstOrDefault();
                        if (authHeader?.StartsWith("Bearer") == true)
                        {
                            return AzureADDefaults.JwtBearerAuthenticationScheme;
                        }

                        return AzureADDefaults.AuthenticationScheme;
                    };
                })
                .AddAzureADBearer(options => config.Bind("AzureAdBearer", options))
                .AddAzureAD(options => config.Bind("AzureAd", options));

答案 1 :(得分:0)

您可以将AddAzureADBearer中间件添加到您的应用程序中:

services.AddAuthentication(sharedOptions =>
{
    sharedOptions.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
    sharedOptions.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
})
.AddAzureAD(options => Configuration.Bind("AzureAd", options))
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

假设您的应用程序中有api控制器,如果另一个应用程序将访问受AAD保护的网络api,则应设置架构:

[HttpGet]
[Authorize(AuthenticationSchemes = "AzureADBearer")]
public IEnumerable<string> Get()
{
    return new string[] { "value1", "value2" };
}

答案 2 :(得分:0)

这就是我为client credentials grant type of OAuth解决此问题的方式。

  1. 您的AddAuthentication类中的ConfigureServices方法中的第一个Startup

    public void ConfigureServices(IServiceCollection services)
{
 //...
 services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
         .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
}

    确保AzureAd中有appconfig.json个选项:

    "AzureAd": {
      "Instance": "https://login.microsoftonline.com/",
      "Domain": "yourdomain.com",
      "TenantId": "5ce97df2-9be2-4deb-b90a-880d6668a5ff",// fake, replace with yours
      "ClientId": "444e3f38-3420-430d-8254-1541ae545047"// fake, replace with yours
 },

  2. UseAuthentication类的Configure方法中调用Startup方法

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //...
   app.UseAuthentication();
    app.UseMvc();
}

  3. 向您的控制器添加Authorize属性:

    [ApiController]
[Authorize]
public class YourController : ControllerBase
相关问题
最新问题