如何代表流将 cookie 与 Azure AD 一起使用以获取对另一个资源的访问令牌
How to use cookies with Azure AD on behalf of flow to get an access token to another resource
我有两个应用程序使用同一个 Azure 活动目录。应用程序 A 和应用程序 B.
应用 A 使用
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
ClientId = Configuration["Authentication:AzureAd:ClientId"],
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
ClientSecret = Configuration["Authentication:AzureAd:ClientSecret"],
CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],
ResponseType = OpenIdConnectResponseType.CodeIdToken,
GetClaimsFromUserInfoEndpoint = true,
SignInScheme = "Cookies",
SaveTokens = true,
Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
}
});
并且我通过使用以下方式获取令牌来获取对应用程序 B api 服务资源的访问权限:
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
string userObjectId = (context.Ticket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
ClientCredential clientCred = new ClientCredential(Configuration["Authentication:AzureAd:ClientId"], Configuration["Authentication:AzureAd:ClientSecret"]);
AuthenticationContext authContext = new AuthenticationContext(Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"]);
AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
context.ProtocolMessage.Code, new Uri(context.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]), clientCred, Configuration["Authentication:AzureAd:GraphResourceId"]);
我还使用 cookie 登录应用程序 A:
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = "Cookies",
AutomaticAuthenticate = true,
AutomaticChallenge = true,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromHours(1),
Events = new CookieAuthenticationEvents()
{
OnSignedIn = OnSignedIn,
OnSigningIn = OnSigningIn,
OnValidatePrincipal = OnValidatePrincipal
}
});
/* Account Controller SignIn() */
return Challenge(
new AuthenticationProperties {
AllowRefresh = true,
IsPersistent = true,
RedirectUri = "/" }, OpenIdConnectDefaults.AuthenticationScheme);
现在我的问题类似于我的访问令牌即将过期的其他问题,但我到应用程序 a 的登录 cookie 仍然有效,因此用户似乎登录正常,尽管他们在缓存中没有令牌。
我已经跟进了其他问题,并查看了
我的 Cookie 事件
Task OnValidatePrincipal(CookieValidatePrincipalContext arg) {
var http = new HttpClient();
var uri = "https://login.microsoftonline.com/<tenant>/oauth2/token";
var client_id = "<my_client_id>";
var scope = "https://graph.microsoft.com/mail.read";
var refresh_token = "<saved_refresh_token_in_cookie_if_SaveTokens = true>";
var redirect_uri = "https://localhost:20352/";
var grant_type = "refresh_token";
var client_secret = "<client_secret_from_azure>";
var body = new List<KeyValuePair<string, string>>
{
new KeyValuePair<string, string>("client_id", client_id),
new KeyValuePair<string, string>("scope", scope),
new KeyValuePair<string, string>("refresh_token", refresh_token),
new KeyValuePair<string, string>("redirect_uri", redirect_uri),
new KeyValuePair<string, string>("grant_type", grant_type),
new KeyValuePair<string, string>("client_secret", client_secret)
};
var content = new FormUrlEncodedContent(body);
var result = http.PostAsync(uri, content).Result;
var stringContent = result.Content.ReadAsStringAsync().Result;
JObject jobject = JObject.Parse(stringContent);
var token = jobject["access_token"].Value<string>();
这里的问题是我不知道如何将此令牌返回到 adal AuthenticationContext 使用的默认 TokenStore 中。我们有更深层次的代码需要从中提取:
_authenticationResult = await authContext.AcquireTokenSilentAsync(_authConfigOptions.AzureAd.WebserviceAppIdUri.ToString(), credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
有没有一种方法可以在没有有效令牌/刷新令牌 'On Behalf of User' 流的情况下为用户应用程序 B api 调用将新的资源访问令牌取回令牌库?
如果丢失访问令牌和刷新令牌,则必须将用户重定向到 Azure AD 以再次进行身份验证。他们可能仍然在那里经过身份验证,因此他们只是连同授权码一起被重定向回您的应用程序。
在我的一个项目中,我制作了一个异常过滤器来执行此操作:
public void OnException(ExceptionContext filterContext)
{
//If the error is a silent token acquisition exception from ADAL..
if(filterContext.Exception is AdalSilentTokenAcquisitionException)
{
//Instead of the usual procedure, return a 401 which triggers the OpenIdConnect middleware redirection
filterContext.Result = new HttpUnauthorizedResult();
filterContext.ExceptionHandled = true;
}
}
因此,如果在静默令牌获取失败的地方抛出异常,只需吞下错误并将结果更改为 401,这会触发 OpenIdConnect 中间件将用户发送到 Azure AD。
既然你有 AutomaticAuthenticate=true,它应该这样做。
我有两个应用程序使用同一个 Azure 活动目录。应用程序 A 和应用程序 B.
应用 A 使用
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
ClientId = Configuration["Authentication:AzureAd:ClientId"],
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
ClientSecret = Configuration["Authentication:AzureAd:ClientSecret"],
CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],
ResponseType = OpenIdConnectResponseType.CodeIdToken,
GetClaimsFromUserInfoEndpoint = true,
SignInScheme = "Cookies",
SaveTokens = true,
Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
}
});
并且我通过使用以下方式获取令牌来获取对应用程序 B api 服务资源的访问权限:
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
string userObjectId = (context.Ticket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
ClientCredential clientCred = new ClientCredential(Configuration["Authentication:AzureAd:ClientId"], Configuration["Authentication:AzureAd:ClientSecret"]);
AuthenticationContext authContext = new AuthenticationContext(Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"]);
AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
context.ProtocolMessage.Code, new Uri(context.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]), clientCred, Configuration["Authentication:AzureAd:GraphResourceId"]);
我还使用 cookie 登录应用程序 A:
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = "Cookies",
AutomaticAuthenticate = true,
AutomaticChallenge = true,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromHours(1),
Events = new CookieAuthenticationEvents()
{
OnSignedIn = OnSignedIn,
OnSigningIn = OnSigningIn,
OnValidatePrincipal = OnValidatePrincipal
}
});
/* Account Controller SignIn() */
return Challenge(
new AuthenticationProperties {
AllowRefresh = true,
IsPersistent = true,
RedirectUri = "/" }, OpenIdConnectDefaults.AuthenticationScheme);
现在我的问题类似于我的访问令牌即将过期的其他问题,但我到应用程序 a 的登录 cookie 仍然有效,因此用户似乎登录正常,尽管他们在缓存中没有令牌。
我已经跟进了其他问题,并查看了
我的 Cookie 事件 Task OnValidatePrincipal(CookieValidatePrincipalContext arg) {
var http = new HttpClient();
var uri = "https://login.microsoftonline.com/<tenant>/oauth2/token";
var client_id = "<my_client_id>";
var scope = "https://graph.microsoft.com/mail.read";
var refresh_token = "<saved_refresh_token_in_cookie_if_SaveTokens = true>";
var redirect_uri = "https://localhost:20352/";
var grant_type = "refresh_token";
var client_secret = "<client_secret_from_azure>";
var body = new List<KeyValuePair<string, string>>
{
new KeyValuePair<string, string>("client_id", client_id),
new KeyValuePair<string, string>("scope", scope),
new KeyValuePair<string, string>("refresh_token", refresh_token),
new KeyValuePair<string, string>("redirect_uri", redirect_uri),
new KeyValuePair<string, string>("grant_type", grant_type),
new KeyValuePair<string, string>("client_secret", client_secret)
};
var content = new FormUrlEncodedContent(body);
var result = http.PostAsync(uri, content).Result;
var stringContent = result.Content.ReadAsStringAsync().Result;
JObject jobject = JObject.Parse(stringContent);
var token = jobject["access_token"].Value<string>();
这里的问题是我不知道如何将此令牌返回到 adal AuthenticationContext 使用的默认 TokenStore 中。我们有更深层次的代码需要从中提取:
_authenticationResult = await authContext.AcquireTokenSilentAsync(_authConfigOptions.AzureAd.WebserviceAppIdUri.ToString(), credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
有没有一种方法可以在没有有效令牌/刷新令牌 'On Behalf of User' 流的情况下为用户应用程序 B api 调用将新的资源访问令牌取回令牌库?
如果丢失访问令牌和刷新令牌,则必须将用户重定向到 Azure AD 以再次进行身份验证。他们可能仍然在那里经过身份验证,因此他们只是连同授权码一起被重定向回您的应用程序。
在我的一个项目中,我制作了一个异常过滤器来执行此操作:
public void OnException(ExceptionContext filterContext)
{
//If the error is a silent token acquisition exception from ADAL..
if(filterContext.Exception is AdalSilentTokenAcquisitionException)
{
//Instead of the usual procedure, return a 401 which triggers the OpenIdConnect middleware redirection
filterContext.Result = new HttpUnauthorizedResult();
filterContext.ExceptionHandled = true;
}
}
因此,如果在静默令牌获取失败的地方抛出异常,只需吞下错误并将结果更改为 401,这会触发 OpenIdConnect 中间件将用户发送到 Azure AD。
既然你有 AutomaticAuthenticate=true,它应该这样做。