本地 ADFS 3.0 OAuth2 WebApi + AngularJS
On Premise ADFS 3.0 OAuth2 WebApi + AngularJS
我对此完全迷失了,任何帮助将不胜感激。
当我从 angularJS 通过我的客户端应用程序单击 Login 时,我被重定向到:
https://adfs.dev5.local/adfs/oauth2/authorize?response_type=code&client_id=09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc&resource=urn%3Awebapi%3Atest&redirect_uri=https%3A%2F%2Flocalhost%3A44326%2F&state=52e4aa10-f082-4ee6-8823-543ec6e4dce4&client-request-id=e2751f34-f7db-41f4-8c1d-4463e2dca48b&x-client-SKU=Js&x-client-Ver=1.0.15&nonce=93039780-99f6-4efc-8b1b-58aa92df9f82
没关系,我可以输入我的电子邮件 + 密码。登录后,我将重定向到:
https://localhost:44326/?code=OLCE2LJVeU2Zy2-7Q4oIMg.6Pr0vZgW1QhBAMQoUlgIKAdAsno.q4scWy_ZFQHQEz08M3gU3KJU4NhXdimZiMpgSGBQ8xKN8BLK0Qoe1m1cK5TA2WLLyA14SlnnfA4yHEp5_pTWrIOYNrvOVzNiGU0Zkie-7ae2D1_3U1E1rTmLUTprIadU4gLmo2CeMHkM8gumS285wKsRsMpXVLcavjgjyRM3XoWXSDSP96_eeMgq1osQ1M5170rrGOh_DVqKG-xYnKk5PEC7cWikaR_pxCvwvayLMV0VQIIyq1GJ3CvgK8sWFJGdY3jz247Bh8RPH9-t2_Jz3_7wyqvfvfquAY8tQxElEN1IEoPMOwVdjfBgNlZlw7vtAo79jdH1C_TRNUC5T3IrXw&state=52e4aa10-f082-4ee6-8823-543ec6e4dce4&client-request-id=e2751f34-f7db-41f4-8c1d-4463e2dca48b
这是我感到困惑的地方我不认为它应该将我重定向到那个...,我知道我需要 POST 这一些如何获得令牌,但是如何?我使用 Postman 并且能够获得访问令牌,但我不明白我的 WebAPI 如何将其转换为访问令牌?
我在 Windows Server 2012 R2 上使用 ADFS 3.0。
设置 ADFS:
Add-ADFSRelyingPartyTrust -Name MyWebAPI -Identifier urn:webapi:test -IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");' -IssuanceTransformRules 'c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(claim = c);'
添加客户:
Add-ADFSClient -Name "client" -ClientId "09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc" -RedirectUri "https://localhost:44326/"
Startup.Auth.cs:
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = "https://adfs.dev5.local/FederationMetadata/2007-06/federationmetadata.xml",
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
}
});
观众的网络配置:
<appSettings>
<add key="ida:Audience" value="https://localhost:44326/" />
</appSettings>
AngularJS 广告设置:
adalProvider.init(
{
instance: 'https://adfs.dev5.local/',
tenant: 'adfs',
clientId: '09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc',
redirectUri: 'https://localhost:44326/'
//cacheLocation: 'localStorage', // enable this for IE, as sessionStorage does not work for localhost.
},
$httpProvider
);
我对此完全迷失了,任何帮助将不胜感激。
当我从 angularJS 通过我的客户端应用程序单击 Login 时,我被重定向到:
https://adfs.dev5.local/adfs/oauth2/authorize?response_type=code&client_id=09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc&resource=urn%3Awebapi%3Atest&redirect_uri=https%3A%2F%2Flocalhost%3A44326%2F&state=52e4aa10-f082-4ee6-8823-543ec6e4dce4&client-request-id=e2751f34-f7db-41f4-8c1d-4463e2dca48b&x-client-SKU=Js&x-client-Ver=1.0.15&nonce=93039780-99f6-4efc-8b1b-58aa92df9f82
没关系,我可以输入我的电子邮件 + 密码。登录后,我将重定向到:
https://localhost:44326/?code=OLCE2LJVeU2Zy2-7Q4oIMg.6Pr0vZgW1QhBAMQoUlgIKAdAsno.q4scWy_ZFQHQEz08M3gU3KJU4NhXdimZiMpgSGBQ8xKN8BLK0Qoe1m1cK5TA2WLLyA14SlnnfA4yHEp5_pTWrIOYNrvOVzNiGU0Zkie-7ae2D1_3U1E1rTmLUTprIadU4gLmo2CeMHkM8gumS285wKsRsMpXVLcavjgjyRM3XoWXSDSP96_eeMgq1osQ1M5170rrGOh_DVqKG-xYnKk5PEC7cWikaR_pxCvwvayLMV0VQIIyq1GJ3CvgK8sWFJGdY3jz247Bh8RPH9-t2_Jz3_7wyqvfvfquAY8tQxElEN1IEoPMOwVdjfBgNlZlw7vtAo79jdH1C_TRNUC5T3IrXw&state=52e4aa10-f082-4ee6-8823-543ec6e4dce4&client-request-id=e2751f34-f7db-41f4-8c1d-4463e2dca48b
这是我感到困惑的地方我不认为它应该将我重定向到那个...,我知道我需要 POST 这一些如何获得令牌,但是如何?我使用 Postman 并且能够获得访问令牌,但我不明白我的 WebAPI 如何将其转换为访问令牌?
我在 Windows Server 2012 R2 上使用 ADFS 3.0。
设置 ADFS:
Add-ADFSRelyingPartyTrust -Name MyWebAPI -Identifier urn:webapi:test -IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");' -IssuanceTransformRules 'c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(claim = c);'
添加客户:
Add-ADFSClient -Name "client" -ClientId "09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc" -RedirectUri "https://localhost:44326/"
Startup.Auth.cs:
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = "https://adfs.dev5.local/FederationMetadata/2007-06/federationmetadata.xml",
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
}
});
观众的网络配置:
<appSettings>
<add key="ida:Audience" value="https://localhost:44326/" />
</appSettings>
AngularJS 广告设置:
adalProvider.init(
{
instance: 'https://adfs.dev5.local/',
tenant: 'adfs',
clientId: '09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc',
redirectUri: 'https://localhost:44326/'
//cacheLocation: 'localStorage', // enable this for IE, as sessionStorage does not work for localhost.
},
$httpProvider
);