ADAL AcquireToken Windows 身份验证 UWP
ADAL AcquireToken Windows authentication UWP
我正在开发需要针对本地 ADFS 2016 实例进行身份验证的 UWP 应用程序,但使用 Windows 集成身份验证。
我正在使用 ADAL 3.19.8。
该应用程序 运行 在已加入域的 Windows 10 设备上。
该应用程序启用了企业身份验证、专用网络(客户端和服务器)和共享用户证书功能,如下所述:https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/uwp-specificities
我正在将 UseCorporateNetwork 标志设置为 true。
Windows 在 Internet 选项中启用了集成身份验证,并且我已将 ADFS 服务器添加到本地 Intranet 区域。
这是我尝试验证的方式:
string authority = "https://xxxx/adfs/oauth2";
const bool useCorporateNetwork = true;
var authContext = new AuthenticationContext(authority, false);
var authResult = await authContext.AcquireTokenAsync(
resourceURI,
clientID,
new Uri(clientReturnURI),
new PlatformParameters(PromptBehavior.Auto, useCorporateNetwork));
针对 ADFS 的身份验证成功,我获得了访问和 ID 令牌。但是,该应用程序始终显示 ADFS 登录屏幕。为了继续,我输入了用于登录 Windows 的相同用户名和密码凭据。显然,这并不理想,也不是应用程序用户希望看到的行为。
使用 Fiddler 我看到 UWP 应用程序调用 https://xxxx/adfs/oauth2/authorize。
如果我在 WinForms 应用程序中使用上述代码(尽管没有 useCorporateNetwork 重载),我可以获得我期望的 SSO 行为。
使用 Fiddler WinForms 应用调用 https://xxxx/adfs/oauth2/authorize/wia
我错过了什么?
如果 ADAL.NET 已为 Web API 的用户获取令牌,它会将其与刷新令牌一起缓存。下次应用程序需要令牌时,它可以先调用 AcquireTokenSilentAsync 来验证缓存中是否有可接受的令牌。
AuthenticationContext ac = new AuthenticationContext(authority);
AuthenticationResult result=null;
try
{
result = await ac.AcquireTokenSilentAsync(resource, clientId);
}
catch (AdalException adalException)
{
if (adalException.ErrorCode == AdalError.FailedToAcquireTokenSilently
|| adalException.ErrorCode == AdalError.InteractionRequired)
{
result = await ac.AcquireTokenAsync(resource, clientId, redirectUri,
new PlatformParameters(PromptBehavior.Auto));
}
}
更多请参考this.
事实证明我遗漏的一点是您需要从 WebAuthenticationBroker 获取客户端重定向 Uri,而不是将其设置为任意字符串:
Uri clientReturnURI = Windows.Security.Authentication.Web
.WebAuthenticationBroker.GetCurrentApplicationCallbackUri();
这个returns一个URI,例如ms-app://s-1-15-2-1352796503-54529114-405753024-3540103335-3203256200-511895534-1429095407/,这需要在针对本机应用程序的 ADFS。
这是相关部分:
Properties of PlatformParameter specific to WinRT and UWP (Corporate network)
The WinRT (until ADAL 3.x) and UWP platforms have the following property UseCorporateNetwork is a boolean which enables the Win8.1 and UWP application to benefit from windows integrated authentication (and therefore SSO with the user signed-in with the operating system) if this user is signed-in with an account in a federated Azure AD tenant. This leverages WAB (Web Authentication Broker).
Important: Setting this property to true assumes that the application developer has enabled Windows Integrated Authentication (WIA) in the application. For this:
In the Package.appxmanifest for your UWP application, in the Capabilities tab, enable the following capabilities:
Enterprise Authentication
Private Networks (Client & Server)
Shared User Certificate WIA is not enabled by default because applications requesting the Enterprise Authentication or Shared User Certificates capabilities require a higher level of verification to be accepted into the Windows Store, and not all developers may wish to perform the higher level of verification.
Note that the underlying implementation on the UWP platform (WAB) does not work correctly in Enterprise scenarios where Conditional Access was enabled. The symptom is that the user tries to sign-in with Windows hello, and is proposed to choose a certificate, but the certificate for the pin is not found, or the user chooses it, but never get prompted for the Pin. A workaround is to use an alternative method (username/password + phone authentication), but the experience is not good. In the future, ADAL and MSAL will need to leverage WAM, which will solve the problem.
Getting the Redirect URI in the case of windows 8.1 store applications
Note: Support for Win8.1 and Windows Phone 8.1 stopped in ADAL 4.x. Windows 10 application (UWP) are still supported
In the case of windows store applications, you will need to discover the callback uri for your Windows Phone app. The simplest way to do it is to add a line in the Initialization method (for instance in the MainPage) and set a breakpoint on this line in the method:
var redirectURI = Windows.Security.Authentication.Web.WebAuthenticationBroker.GetCurrentApplicationCallbackUri();
then, run the app, and copy aside the value of redirectUri when the breakpoint is hit. It should look something like ms-app://s-1-15-2-1352796503-54529114-405753024-3540103335-3203256200-511895534-1429095407/ Back on the ReplyURLs tab of your application in the Azure portal, add this value.
希望这对其他遇到同样问题的人有用!
我正在开发需要针对本地 ADFS 2016 实例进行身份验证的 UWP 应用程序,但使用 Windows 集成身份验证。
我正在使用 ADAL 3.19.8。 该应用程序 运行 在已加入域的 Windows 10 设备上。 该应用程序启用了企业身份验证、专用网络(客户端和服务器)和共享用户证书功能,如下所述:https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/uwp-specificities
我正在将 UseCorporateNetwork 标志设置为 true。 Windows 在 Internet 选项中启用了集成身份验证,并且我已将 ADFS 服务器添加到本地 Intranet 区域。
这是我尝试验证的方式:
string authority = "https://xxxx/adfs/oauth2";
const bool useCorporateNetwork = true;
var authContext = new AuthenticationContext(authority, false);
var authResult = await authContext.AcquireTokenAsync(
resourceURI,
clientID,
new Uri(clientReturnURI),
new PlatformParameters(PromptBehavior.Auto, useCorporateNetwork));
针对 ADFS 的身份验证成功,我获得了访问和 ID 令牌。但是,该应用程序始终显示 ADFS 登录屏幕。为了继续,我输入了用于登录 Windows 的相同用户名和密码凭据。显然,这并不理想,也不是应用程序用户希望看到的行为。
使用 Fiddler 我看到 UWP 应用程序调用 https://xxxx/adfs/oauth2/authorize。
如果我在 WinForms 应用程序中使用上述代码(尽管没有 useCorporateNetwork 重载),我可以获得我期望的 SSO 行为。 使用 Fiddler WinForms 应用调用 https://xxxx/adfs/oauth2/authorize/wia
我错过了什么?
如果 ADAL.NET 已为 Web API 的用户获取令牌,它会将其与刷新令牌一起缓存。下次应用程序需要令牌时,它可以先调用 AcquireTokenSilentAsync 来验证缓存中是否有可接受的令牌。
AuthenticationContext ac = new AuthenticationContext(authority);
AuthenticationResult result=null;
try
{
result = await ac.AcquireTokenSilentAsync(resource, clientId);
}
catch (AdalException adalException)
{
if (adalException.ErrorCode == AdalError.FailedToAcquireTokenSilently
|| adalException.ErrorCode == AdalError.InteractionRequired)
{
result = await ac.AcquireTokenAsync(resource, clientId, redirectUri,
new PlatformParameters(PromptBehavior.Auto));
}
}
更多请参考this.
事实证明我遗漏的一点是您需要从 WebAuthenticationBroker 获取客户端重定向 Uri,而不是将其设置为任意字符串:
Uri clientReturnURI = Windows.Security.Authentication.Web
.WebAuthenticationBroker.GetCurrentApplicationCallbackUri();
这个returns一个URI,例如ms-app://s-1-15-2-1352796503-54529114-405753024-3540103335-3203256200-511895534-1429095407/,这需要在针对本机应用程序的 ADFS。
这是相关部分:
Properties of PlatformParameter specific to WinRT and UWP (Corporate network)
The WinRT (until ADAL 3.x) and UWP platforms have the following property UseCorporateNetwork is a boolean which enables the Win8.1 and UWP application to benefit from windows integrated authentication (and therefore SSO with the user signed-in with the operating system) if this user is signed-in with an account in a federated Azure AD tenant. This leverages WAB (Web Authentication Broker).
Important: Setting this property to true assumes that the application developer has enabled Windows Integrated Authentication (WIA) in the application. For this:
In the Package.appxmanifest for your UWP application, in the Capabilities tab, enable the following capabilities: Enterprise Authentication Private Networks (Client & Server) Shared User Certificate WIA is not enabled by default because applications requesting the Enterprise Authentication or Shared User Certificates capabilities require a higher level of verification to be accepted into the Windows Store, and not all developers may wish to perform the higher level of verification. Note that the underlying implementation on the UWP platform (WAB) does not work correctly in Enterprise scenarios where Conditional Access was enabled. The symptom is that the user tries to sign-in with Windows hello, and is proposed to choose a certificate, but the certificate for the pin is not found, or the user chooses it, but never get prompted for the Pin. A workaround is to use an alternative method (username/password + phone authentication), but the experience is not good. In the future, ADAL and MSAL will need to leverage WAM, which will solve the problem.
Getting the Redirect URI in the case of windows 8.1 store applications
Note: Support for Win8.1 and Windows Phone 8.1 stopped in ADAL 4.x. Windows 10 application (UWP) are still supported
In the case of windows store applications, you will need to discover the callback uri for your Windows Phone app. The simplest way to do it is to add a line in the Initialization method (for instance in the MainPage) and set a breakpoint on this line in the method:
var redirectURI = Windows.Security.Authentication.Web.WebAuthenticationBroker.GetCurrentApplicationCallbackUri();
then, run the app, and copy aside the value of redirectUri when the breakpoint is hit. It should look something like ms-app://s-1-15-2-1352796503-54529114-405753024-3540103335-3203256200-511895534-1429095407/ Back on the ReplyURLs tab of your application in the Azure portal, add this value.
希望这对其他遇到同样问题的人有用!