客户端通过Azure AD应用程序代理发出的请求中缺少授权标头

Question

我面临一个问题，即从客户端应用程序到通过Azure Active Directory应用程序代理到REST Web服务的HTTP请求中缺少带有承载令牌的Authorization标头。

Web服务托管在内部部署中，并且使用Azure AD应用程序代理URL从Internet上使用客户端应用程序，并且根据ADFS对请求进行身份验证。身份验证标头是在向Azure AD应用程序代理URL发送请求时添加的，我想它已被代理连接器删除。

请在下面找到请求内容并获得帮助。如何在对应用程序代理的原始请求中包括Authenticator标头？

GET /TimelogSvc/rest/Timelog/GetTimeLog?EmailId=John@BizNext.com.sg&Fromdate=2019-04-21&Todate=2019-04-27 HTTP/1.1
Connection: Keep-Alive
Host: agileuat.BizNext.com.sg
X-Forwarded-For: 203.126.130.140
X-MS-Proxy: AzureAD-Application-Proxy
OS-Host: agileuat.BizNext.com.sg
OS-Path: /TimelogSvc
OS-Pta: /rest/Timelog
OS-Page: /GetTimeLog?EmailId=John08@BizNext.com.sg&Fromdate=2019-04-21&Todate=2019-04-27

也请在下面的客户端中查看我的代码。

AuthenticationContext authContext = new AuthenticationContext(authority + tenantID);
HttpClient httpClient = new HttpClient();
string s = string.Empty;

result = await authContext.AcquireTokenAsync(resourceUri, clientId, new Uri(redirectUri), new PlatformParameters(PromptBehavior.Auto));

// Append the token as bearer in the request header.
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

// Call the API.
HttpResponseMessage response = await httpClient.GetAsync("https://timelogapitest-BizNext.msappproxy.net/TimelogSvc/rest/Timelog/GetTimeLog?EmailId=John@bizNext.com.sg&Fromdate=2019-04-21&Todate=2019-04-27");

s = await response.Content.ReadAsStringAsync();

Answer 1

移动应用

我已经通过在第二个自定义标头中包含访问令牌来解决此问题。假设您拥有对后端的控制权，那么您可以阅读该自定义标头。如有必要，您甚至可以将此内容写入后端的AuthHeader中，以确保从那里进行正常的授权流。

            HttpClient client = new HttpClient();
            HttpRequestMessage message = new HttpRequestMessage(HttpMethod.Get, "API/URL/GoesHere");
            // Add token to authentication header as per usual
            message.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
            // Custom header containing the token a second time.
            // Name if whatever you like, just make sure you look for the
            // exact name on the backend
            message.Headers.Add("JwtAccessToken", token);
            HttpResponseMessage response = await client.SendAsync(message);
            string responseString = await response.Content.ReadAsStringAsync();

网络客户端

这似乎现在可以工作：

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32386468-forward-incoming-jwt-token-to-backend-service#{toggle_previous_statuses}