ARM 模板 Web 应用程序身份验证设置不起作用
ARM Template Web App Authentication Settings not working
我正在设置我的站点身份验证设置以使用 AAD 提供程序。大多数模板都受到尊重。但是,unauthenticatedClientAction 和 allowedAudiences 没有被正确分配。我观察到 'allow anonymous' 并且没有分配 'allowed audiences'。
Please note that I was working with the ARM Template API 2018-02-01. This problem may still exist due to the documentation, if you provide an answer, please note the ARM Template version it addresses.
Additionally, create an issue for the ARM documentation team to correct any issues.
这是我的这些设置的模板段。它嵌套在我的网站模板中的资源下。
root > Microsoft.Web/Site > 资源
{
"type": "config",
"name": "web",
"apiVersion": "2016-08-01",
"location": "[parameters('app-location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('web-site-name'))]"
],
"properties": {
"siteAuthEnabled": true,
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
- 模板验证
- 部署没有输出任何错误
问题:
unauthenticatedClientAction 被分配允许匿名不 RedirectToLoginPageallowedAudiences 未分配任何站点
是什么导致了这些问题?我可能错过了什么?
在与 Azure 支持的优秀人员合作后,我得到了答案。
Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.
此子资源不再是有效的解决方案,而端点可能仍能识别其某些字段,已弃用。
新的解决方案是将 siteAuthSettings 对象添加到主要的 'Microsoft.Web/site' 属性中,不再需要 siteAuthEnabled,因为 siteAuthSettings.enable 复制了此功能。
更新了 ARM 模板(为简洁起见删除了其他设置)
{
"name": "[variables('app-service-name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('app-location')]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[variables('app-plan-name')]"
],
"properties": {
//... other app service settings
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
正如@Michael 所建议的那样,必须将 siteAuthSettings 对象添加到 siteConfig 对象,而不仅仅是在根 properties 对象下。
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServiceName'))]"
],
"properties": {
...
"siteConfig": {
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('clientId')]",
"issuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/')]"
}
}
}
}
给出的其他解决方案仅适用于使用经典身份验证体验(身份验证(经典))。如果您想使用新的身份验证体验,请使用以下配置:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "config",
"apiVersion": "2020-12-01",
"name": "authsettingsV2",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webAppName'))]"
],
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"identityProviders": {
"azureActiveDirectory": {
"isAutoProvisioned": false,
"registration": {
"clientId": "[parameters('clientId')]",
"clientSecret": "[variables('clientSecret')]",
"openIdIssuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/v2.0')]"
},
"validation": {
"allowedAudiences": [
"https://management.core.windows.net/"
]
}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"allowedExternalRedirectUrls": [],
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"globalValidation": {
"redirectToProvider": "azureactivedirectory",
"unauthenticatedClientAction": "RedirectToLoginPage"
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
]
}
我正在设置我的站点身份验证设置以使用 AAD 提供程序。大多数模板都受到尊重。但是,unauthenticatedClientAction 和 allowedAudiences 没有被正确分配。我观察到 'allow anonymous' 并且没有分配 'allowed audiences'。
Please note that I was working with the ARM Template API 2018-02-01. This problem may still exist due to the documentation, if you provide an answer, please note the ARM Template version it addresses.
Additionally, create an issue for the ARM documentation team to correct any issues.
这是我的这些设置的模板段。它嵌套在我的网站模板中的资源下。
root > Microsoft.Web/Site > 资源
{
"type": "config",
"name": "web",
"apiVersion": "2016-08-01",
"location": "[parameters('app-location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('web-site-name'))]"
],
"properties": {
"siteAuthEnabled": true,
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
- 模板验证
- 部署没有输出任何错误
问题:
unauthenticatedClientAction被分配允许匿名不 RedirectToLoginPageallowedAudiences未分配任何站点
是什么导致了这些问题?我可能错过了什么?
在与 Azure 支持的优秀人员合作后,我得到了答案。
Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.
此子资源不再是有效的解决方案,而端点可能仍能识别其某些字段,已弃用。
新的解决方案是将 siteAuthSettings 对象添加到主要的 'Microsoft.Web/site' 属性中,不再需要 siteAuthEnabled,因为 siteAuthSettings.enable 复制了此功能。
更新了 ARM 模板(为简洁起见删除了其他设置)
{
"name": "[variables('app-service-name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('app-location')]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[variables('app-plan-name')]"
],
"properties": {
//... other app service settings
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
正如@Michael 所建议的那样,必须将 siteAuthSettings 对象添加到 siteConfig 对象,而不仅仅是在根 properties 对象下。
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServiceName'))]"
],
"properties": {
...
"siteConfig": {
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('clientId')]",
"issuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/')]"
}
}
}
}
给出的其他解决方案仅适用于使用经典身份验证体验(身份验证(经典))。如果您想使用新的身份验证体验,请使用以下配置:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "config",
"apiVersion": "2020-12-01",
"name": "authsettingsV2",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webAppName'))]"
],
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"identityProviders": {
"azureActiveDirectory": {
"isAutoProvisioned": false,
"registration": {
"clientId": "[parameters('clientId')]",
"clientSecret": "[variables('clientSecret')]",
"openIdIssuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/v2.0')]"
},
"validation": {
"allowedAudiences": [
"https://management.core.windows.net/"
]
}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"allowedExternalRedirectUrls": [],
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"globalValidation": {
"redirectToProvider": "azureactivedirectory",
"unauthenticatedClientAction": "RedirectToLoginPage"
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
]
}