如何设置 app.UseOAuthBearerAuthentication 以处理不同的 Azure B2C 自定义策略?

How to setup app.UseOAuthBearerAuthentication for handling different Azure B2C custom policies?

我读了这篇文章:Secure ASP.NET Web API 2 using Azure AD B2C – Part 2

在第 3 步 app.UseOAuthBearerAuthentication 被调用 3 次...每个策略调用一次。

我只使用 2 个策略进行测试:SignInPolicyIdSignUpPolicyId

但是当我这样做时:

app.UseOAuthBearerAuthentication(CreateBearerOptionsForPolicy(SignInPolicyId))  
app.UseOAuthBearerAuthentication(CreateBearerOptionsForPolicy(SignUpPolicyId));

并传递 Provider 及其 OnValidateIdentity 来处理验证声明等。然后我尝试按如下策略进行过滤:

private OAuthBearerAuthenticationOptions CreateBearerOptionsForPolicy(string policy)
{
    var metadataEndpoint = string.Format(AadInstance, TenantId, policy);

    TokenValidationParameters tvps = new TokenValidationParameters
    {
        // This is where you specify that your API only accepts tokens from its own clients
        ValidAudience = ClientId,
        AuthenticationType = policy,
        NameClaimType = "http://schemas.microsoft.com/identity/claims/objectidentifier",
        ValidateIssuer = true
    };

    return new OAuthBearerAuthenticationOptions
    {
        AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(metadataEndpoint)),

        Provider = new OAuthBearerAuthenticationProvider
        {
            OnValidateIdentity = async context =>
            {
                try
                {
                    var policyName = identity.FindFirst("http://schemas.microsoft.com/claims/authnclassreference")?.Value;

                    if (policyName == B2CSignInPolicyId.ToLower()) // Sign In Only policy...
                    {
                        // Run specific code here for the policy that just sent a token back to the application...
                    }

问题:正在执行@Azure B2C的策略,也就是我调用的是Sign In策略,但是provider代码被调用两次。我注册的每项保单一次,包括 Sign Up 一项。

问题:是否有更好的方法来执行此操作,以便我们执行正确的 Provider?如果 Sign In 策略被调用,则只执行 Sign In 提供程序,反之亦然。

编辑:

我遇到了此处描述的相同问题(序列包含多个元素):http://bitoftech.net/2016/08/24/secure-aspnet-web-api-2-azure-ad-b2c/#comment-96913

这是例外情况:

at System.Linq.Enumerable.SingleOrDefault[TSource](IEnumerable`1 source)\r\n at Microsoft.Owin.Security.AuthenticationManager.d__20.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.HostAuthenticationFilter.d__4.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.AuthenticationFilterResult.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ExceptionFilterResult.d__6.MoveNext()

不知怎么的,我只打了一个电话就让它工作了:

app.UseOAuthBearerAuthentication(CreateBearerOptionsForPolicy(DefaultPolicyId));

请注意,我只通过了默认策略,比方说 Sign In 一个。

对于其他策略,它也会影响 OnValidateIdentity 委托。

关于策略名称,我们需要进一步自定义自定义策略,return 策略 ID 声明如 here

另一个 answer @ SO 有助于理解这一点。

使用该设置,当执行策略时,我们可以通过查看 TFP(可信框架策略)声明来获取策略名称,如下面的屏幕截图所示: