应用程序“”未配置为多租户应用程序

时间:2019-09-10 04:25:29

标签: web-applications azure-active-directory single-sign-on openid-connect

我正在尝试开发单租户应用程序,并且在登录时收到以下错误消息:

“应用程序'(应用程序ID)'未配置为多租户应用程序。在'10 / 15/2018'之后创建的此类应用程序不支持使用/ common端点。请使用特定于租户的端点或将应用程序配置为多租户。”

  1. 我在Azure AD门户的“应用程序注册” =>“身份验证” =>“支持的帐户类型”部分下验证了“仅此组织目录中的帐户”(######仅-已选择“单租户”选项。

  2. 然后,在我的代码中确定'https://login.microsoftonline.com/ {tenantID}'端点正在使用。换句话说,在代码的任何地方都没有提到“ / common”端点。

    Private Shared appId As String = ConfigurationManager.AppSettings("ida:ClientId")
    Private Shared appSecret As String = ConfigurationManager.AppSettings("ida:ClientSecret")
    Private Shared redirectUri As String = ConfigurationManager.AppSettings("ida:PostLogoutRedirectUri")
    Private Shared graphScopes As String = ConfigurationManager.AppSettings("ida:AppScopes")
    Private Shared sAzureAdInstance As String = "https://login.microsoftonline.com/"
    Private Shared sTenant As String = ConfigurationManager.AppSettings("ida:TenantId")
    Private Shared sAuthority As String = sAzureAdInstance & sTenant

    Public Sub ConfigureAuth(ByVal app As IAppBuilder)
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
        app.UseCookieAuthentication(New CookieAuthenticationOptions())
        app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions With {
            .ClientId = appId,
            .Scope = $"openid email profile offline_access {graphScopes}",
**            .Authority = sAuthority, **
            .RedirectUri = redirectUri,
            .PostLogoutRedirectUri = redirectUri,
            .TokenValidationParameters = New TokenValidationParameters With {
                .ValidateIssuer = False
            },
            .Notifications = New OpenIdConnectAuthenticationNotifications With {
                .AuthenticationFailed = AddressOf OnAuthenticationFailedAsync,
                .AuthorizationCodeReceived = AddressOf OnAuthorizationCodeReceivedAsync,
            }
        })

    End Sub

我希望我的应用程序以单租户模式运行。我找不到与此问题有关的有意义的文档。

编辑:

我在代码中隔离了错误的方法,下面的代码片段显示了其上下文:

Dim signedInUser = New ClaimsPrincipal(notification.AuthenticationTicket.Identity)
Dim idClient As IConfidentialClientApplication = ConfidentialClientApplicationBuilder.Create(appId).WithRedirectUri(redirectUri).WithClientSecret(appSecret).Build()
Dim scopes As String() = graphScopes.Split(" "c)
'NOTE:  The scopes string array contains the following two values: User.Read and Calendars.Read.
Dim authResult = Await idClient.AcquireTokenByAuthorizationCode(scopes, notification.Code).ExecuteAsync()
'EXECUTION HALTS HERE

我无法识别 AcquireTokenByAuthorizationCode()方法与错误消息之间的相关性。对我来说,可能出了什么问题不是很容易。

非常感谢您的协助。

1 个答案:

答案 0 :(得分:0)

我对vb不太熟悉,但是通过参考c#代码,您可以手动指定Authority:

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/common/v2.0
        Authority = Globals.Authority,
        ClientId = Globals.ClientId,
        RedirectUri = Globals.RedirectUri,
        PostLogoutRedirectUri = Globals.RedirectUri,
        Scope = Globals.BasicSignInScopes + " Mail.Read", // a basic set of permissions for user sign in & profile access "openid profile offline_access"
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = false,
            // In a real application you would use IssuerValidator for additional checks, like making sure the user's organization has signed up for your app.
            //     IssuerValidator = (issuer, token, tvp) =>
            //     {
            //        //if(MyCustomTenantValidation(issuer))
            //        return issuer;
            //        //else
            //        //    throw new SecurityTokenInvalidIssuerException("Invalid issuer");
            //    },
            //NameClaimType = "name",
        },
        Notifications = new OpenIdConnectAuthenticationNotifications()
        {
            AuthorizationCodeReceived = OnAuthorizationCodeReceived,
            AuthenticationFailed = OnAuthenticationFailed,
        }
    });

似乎默认使用https://login.microsoftonline.com/common/v2.0。因此,您可以将值更改为https://login.microsoftonline.com/{your_tenant}/v2.0

更新

您可以创建一个新的vb Web项目,然后选择使用Azure AD单租户身份验证。

enter image description here

enter image description here

然后您将获得一个可行的示例:

Partial Public Class Startup
    Private Shared clientId As String = ConfigurationManager.AppSettings("ida:ClientId")
    Private Shared aadInstance As String = EnsureTrailingSlash(ConfigurationManager.AppSettings("ida:AADInstance"))
    Private Shared tenantId As String = ConfigurationManager.AppSettings("ida:TenantId")
    Private Shared postLogoutRedirectUri As String = ConfigurationManager.AppSettings("ida:PostLogoutRedirectUri")
    Private Shared authority As String = aadInstance & tenantId

    Public Sub ConfigureAuth(app As IAppBuilder)
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)

        app.UseCookieAuthentication(New CookieAuthenticationOptions())

        app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions() With {
            .ClientId = clientId,
            .Authority = authority,
            .PostLogoutRedirectUri = postLogoutRedirectUri
        })
    End Sub
*
*
End Class

还支持指定授权机构。您会看到它已经设置为aadInstance和tenantId

如果要使用Azure AD v2,则需要使用v2.0终结点。

相关问题
最新问题