Web API(.NET Framework)Azure AD身份验证始终返回401未经授权

时间:2020-03-01 18:32:22

标签: c# azure azure-devops azure-active-directory azure-web-app-service

我的情况就像我必须在Azure Web App中部署Web API(.NET Framework),并且所有请求都应通过Azure AD身份验证进行。我在Google上搜索,发现了Microsoft提供的类似案例。我遵循了Microsoft提供的以下示例,当我在计算机上测试此代码时,它可以正常工作。

Native client to Web API to Web API.

就我而言,我能够生成OAuth2令牌,但问题是我总是会收到401未经授权的错误。我关注了许多博客,但无法弄清楚是什么原因引起了问题。真的很感谢您的帮助。

这是我的代码:

Startup.cs

    public partial class Startup
{
    public void Configuration(IAppBuilder app)
    {
        ConfigureAuth(app);
    }
}

Startup.Auth.cs

        public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                TokenValidationParameters = new TokenValidationParameters { ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] }
            });
    }

Controller.cs

[Authorize]
[EnableCors(origins: "*", headers: "*", methods: "*")]
public class AuthController : ApiController
{
    [HttpGet]
    public HttpResponseMessage Get()
    {
        try
        {
            using (sqldbEntities entities = new sqldbEntities())
            {
                return Request.CreateResponse(HttpStatusCode.OK, (ConfigurationManager.AppSettings["GetMethod"]));
            }
        }
        catch (Exception ex)
        {
            Log4net.log.Error(string.Format(ConfigurationManager.AppSettings["ErrorGetData"], ex.Message));
            return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ex.Message);
        }
    }

以两种方式生成令牌: 方法1)从另一个ASP.NET应用程序

private static AuthenticationContext authContext = null;
        private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
        private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
        Uri redirectUri = new Uri(ConfigurationManager.AppSettings["ida:RedirectUri"]);

        private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
        private static string todoListResourceId = ConfigurationManager.AppSettings["todo:TodoListResourceId"];            

protected async void Button1_Click(object sender, EventArgs e)
        {
            authContext = new AuthenticationContext(authority);
            AuthenticationResult result = null;
            result = await authContext.AcquireTokenAsync(todoListResourceId, clientId, redirectUri, new PlatformParameters(PromptBehavior.Always));
            TextBox1.Text = result.AccessToken;
        }

方法2)来自邮递员 网址:https://login.microsoftonline.com/myad.onmicrosoft.com/oauth2/token

方法:POST

身体: grant_type = authorization_code&client_id = 89479d4f-aaaa-4ebf-80f2-13e423431bfb&client_secret = hZ_8Ls1EmFarH_lPn4 = aaaa-k8TJ_&redirect_uri = https://NAClient-OBO/&code=AQABAAIAAABeAFzDwllzTYGDLh_qYbH8KZRKktzMuxXp0hM6k1B__lWQrxaikd6wwrYrKZ470UAdr4g1GqAPWja6JgpqsDtLefE23vW80qP7xgVodury28LkGLzL1Mbq0auUeiBaaaa-oCZf11o5EsaSVRVlke6FMkbIn_ppA_GsEBhIAEjxHXXjkrIcp-e4g0G5t9prme4IZ0Sg2_L4MvN6TAyr-nEPGDlnWZLBkRvu8Izsm3RiI_cnneCi1xonZaKBSlsgONIwpgN1bOaz16OVW2uu5lTiz206CSrJtzWeKkitPNUx2Gnn-RnZcCUVDyLxK-eJy8o_ggn_iu7F7kdjKj-b70Gfp5BPYx6fxB4Zyw8tpnWzVkLG7IbLGx9di112u-UGgVSBfWQiO5w3a4Mx2KdDcUihMlVW_mgBUdQi4160AKq1Id9ZcpJEKCT11KWwkO25_q7huCxJ_6-mEU4ADCGjj8hDOtRLGNeZMwhB13rYTN7qGQMmpX491RoldCfpfevva16DhQl5VHbIqspknkK1pFHvh90J47DSg0VihQOIQp1FZ7EgAA&resource=89479d4f-aaaa-4ebf-80f2-13e423431bfb

请帮助。

1 个答案:

答案 0 :(得分:1)

根据我的测试,我们可以使用以下步骤来实现它

  1. 为您的Web API配置Azure AD。有关更多详细信息,请参阅document

    a。创建Azure AD Web API应用程序

    b。 Expose API enter image description here

  2. Create client application to access the web api

  3. 配置代码

    • 网络api

      a。 Startup.cs

       public void ConfigureAuth(IAppBuilder app)
      {
         app.UseWindowsAzureActiveDirectoryBearerAuthentication(
             new WindowsAzureActiveDirectoryBearerAuthenticationOptions
             {
                 Tenant = "<your tenant id>",
                 TokenValidationParameters = new TokenValidationParameters
                 {
                     ValidAudiences = new[] { "your web api application app id url", "your web api application app id" }
                 },
             }) ;;
      }
      

      b。控制器

      [Authorize]
      [EnableCors(origins: "*", headers: "*", methods: "*")]
      public class ValuesController : ApiController
      {
      // GET api/values
      public IEnumerable<string> Get()
      {
       return new string[] { "value1", "value2" };
      }
      }
      
    • 客户端应用程序。我使用控制台应用程序调用api
    var authority = "https://login.microsoftonline.com/<your tenat id>";
          AuthenticationContext authContext = new AuthenticationContext(authority);
          var uri = "< your redirect url>";
          var clientId = "< your client application app id>";
          var resource = "<your web api application app id url or your web api application app id>";
         var result = authContext.AcquireTokenAsync(resource, clientId, new Uri(uri), new PlatformParameters(PromptBehavior.Always)).Result;
    
          using (HttpClient httpClient = new HttpClient())
          {
    
              httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
    
              var response = httpClient.GetAsync("https://localhost:44345/api/values").Result;
              Console.WriteLine(response.StatusCode);
              Console.WriteLine(response.Content.ReadAsStringAsync().Result);
    
          }
    

    enter image description here