我们有一个用ASP.Net Core 2.2编写的Web api,我们希望根据AAD或B2C对用户进行身份验证。这意味着我们有一些端点只能由AAD用户访问,其他端点可以由B2C用户访问,而某些端点可以由两者访问。
在Startup.cs中,我们有
services.AddAuthentication(AzureADB2CDefaults.BearerAuthenticationScheme)
.AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
这些功能单独起作用,但是当我们尝试同时添加两者的配置时,两者都不起作用。
我也尝试过
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options))
.AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));
但是似乎都不起作用。我们如何做到这一点?
答案 0 :(得分:1)
您不需要像上面一样进行配置。
您只需要在代码中配置B2C,然后您需要在Azure B2C中使用自定义策略。您需要将Azure AD定义为Azure B2C可以通过终结点与之通信的声明提供程序。这将允许用户使用Azure AD或社交帐户登录。
查找详细参考文献here at Microsoft Docs。
答案 1 :(得分:0)
我也面临类似的问题,并通过自定义策略实现。下面是身份验证代码。
public static void AddAuthorization(this IServiceCollection services, IConfigurationRoot configuration)
{
services.AddAuthentication()
.AddJwtBearer("AAD", options =>
{
options.MetadataAddress = configuration["AzureAd:Instance"] + configuration["AzureAd:TenantId"] +
"/v2.0/.well-known/openid-configuration";
options.Authority = configuration["AzureAd:Instance"] + configuration["AzureAd:TenantId"];
options.Audience = configuration["AzureAd:ClientId"];
options.TokenValidationParameters =
new TokenValidationParameters
{
ValidIssuer = $"https://sts.windows.net/{configuration["AzureAd:TenantId"]}/",
};
options.Events = new JwtBearerEvents
{
OnMessageReceived = context => Task.CompletedTask,
OnChallenge = context => Task.CompletedTask,
OnAuthenticationFailed = (context) =>
{
Console.WriteLine("OnAuthenticationFailed: " + context.Exception.Message);
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
Console.WriteLine("Validated: " + context.SecurityToken);
return Task.CompletedTask;
}
};
})
.AddJwtBearer("B2C", options =>
{
options.Authority = configuration["AzureAdB2C:Instance"] + configuration["AzureAdB2C:Domain"] + "/" + configuration["AzureAdB2C:SignUpSignInPolicyId"] + "/v2.0";
options.Audience = configuration["AzureAdB2C:ClientId"];
options.Events = new JwtBearerEvents
{
OnMessageReceived = context => Task.CompletedTask,
OnChallenge = context => Task.CompletedTask,
OnAuthenticationFailed = (context) =>
{
Console.WriteLine("OnAuthenticationFailed: " + context.Exception.Message);
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
Console.WriteLine("Validated: " + context.SecurityToken);
return Task.CompletedTask;
}
};
});
services
.AddAuthorization(options =>
{
options.AddPolicy("AADUsers", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("AAD")
.Build());
options.AddPolicy("B2CUsers", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("B2C")
.Build());
});
}
在startup.cs中,在ConfigureServices中添加以下代码
services.AddAuthorization(Configuration);
现在,您可以在控制器中基于AD或B2CAD进行装饰
[Authorize(Policy = "B2CUsers")] // For B2C authentication
[Authorize(Policy = "AADUsers")] // For AAD authentication