.NET STANDARD 4.7.2 Azure Bearer Token 授权
.NET STANDARD 4.7.2 Azure Bearer Token Authorization
我有一个 .NET MVC5/API 应用程序,它通过 Azure 通过 OWIN 对用户进行身份验证。本身效果很好。用户使用他们的 Azure AD 帐户登录没有问题。我还需要授权从同一 AD Azure 域进行身份验证的用户能够从其他应用程序访问此 API。 IE 客户端应用程序(已经有 Azure 授权用户)-> 此服务器应用程序。我的开发客户端是一个使用 MSAL 模块的 Angular 应用程序,它确实在其对我的 .NET API 应用程序的请求中传递了 azure 承载令牌(在 Fiddler 中看到)。但是,响应始终是重定向到 microsoft.login,在客户端上显示为 CORS 错误。如何配置我的 .NET STANDARD 应用程序以通过 Azure 在本地授权用户并接受已授权的 Azure 不记名令牌?此外,客户端和服务器应用程序权限已在 Azure 中设置(正确?不是 100%)。
我的Startup.Auth:
public partial class Startup
{
private static string redirectUrl = "Https://" + Settings.RootURL;
private static string clientId = Settings.GraphClientID;
private static string aadInstance = "https://login.microsoftonline.com/";
private static string tenantId = Settings.GraphTenantID;
private static string authority = aadInstance + tenantId;
public void ConfigureAuth(IAppBuilder app)
{
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieName = "CIM-Cookie", SlidingExpiration=true });
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from Settings.json
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUrl,
UseTokenLifetime = false, //set to false to manage session with the cookie middleware
PostLogoutRedirectUri = redirectUrl,
Scope = OpenIdConnectScope.OpenIdProfile,
// ResponseType is set to request the id_token - which contains basic information about the signed-in user
ResponseType = OpenIdConnectResponseType.IdToken,
//SignInAsAuthenticationType="Cookies",
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false,
RoleClaimType = "groups",
NameClaimType = "name",
},
// OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
SecurityTokenValidated = (context) =>
{
var identity = context.AuthenticationTicket.Identity;
var emailClaim = identity.Claims.Where(r => r.Type == ClaimTypes.Name).FirstOrDefault();
identity.AddClaim(emailClaim);
return Task.FromResult(0);
}
}
});
}
private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
context.HandleResponse();
context.Response.Redirect("/?errormessage=" + context.Exception.Message);
return Task.FromResult(0);
}
}
确保您已从服务器应用程序公开 api 并添加了客户端应用程序。
当您从客户端应用程序获取访问令牌时,请使用 api://{client_app_id}/.default
作为范围。
参考:
天哪。几个小时后,我找到了解决方案。我将此添加到我的 startup.auth:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = "https://xxxx.onmicrosoft.com/xxxx",
Tenant = tenantId
});
希望有一天这对其他人有所帮助。
我有一个 .NET MVC5/API 应用程序,它通过 Azure 通过 OWIN 对用户进行身份验证。本身效果很好。用户使用他们的 Azure AD 帐户登录没有问题。我还需要授权从同一 AD Azure 域进行身份验证的用户能够从其他应用程序访问此 API。 IE 客户端应用程序(已经有 Azure 授权用户)-> 此服务器应用程序。我的开发客户端是一个使用 MSAL 模块的 Angular 应用程序,它确实在其对我的 .NET API 应用程序的请求中传递了 azure 承载令牌(在 Fiddler 中看到)。但是,响应始终是重定向到 microsoft.login,在客户端上显示为 CORS 错误。如何配置我的 .NET STANDARD 应用程序以通过 Azure 在本地授权用户并接受已授权的 Azure 不记名令牌?此外,客户端和服务器应用程序权限已在 Azure 中设置(正确?不是 100%)。
我的Startup.Auth:
public partial class Startup
{
private static string redirectUrl = "Https://" + Settings.RootURL;
private static string clientId = Settings.GraphClientID;
private static string aadInstance = "https://login.microsoftonline.com/";
private static string tenantId = Settings.GraphTenantID;
private static string authority = aadInstance + tenantId;
public void ConfigureAuth(IAppBuilder app)
{
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieName = "CIM-Cookie", SlidingExpiration=true });
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from Settings.json
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUrl,
UseTokenLifetime = false, //set to false to manage session with the cookie middleware
PostLogoutRedirectUri = redirectUrl,
Scope = OpenIdConnectScope.OpenIdProfile,
// ResponseType is set to request the id_token - which contains basic information about the signed-in user
ResponseType = OpenIdConnectResponseType.IdToken,
//SignInAsAuthenticationType="Cookies",
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false,
RoleClaimType = "groups",
NameClaimType = "name",
},
// OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
SecurityTokenValidated = (context) =>
{
var identity = context.AuthenticationTicket.Identity;
var emailClaim = identity.Claims.Where(r => r.Type == ClaimTypes.Name).FirstOrDefault();
identity.AddClaim(emailClaim);
return Task.FromResult(0);
}
}
});
}
private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
context.HandleResponse();
context.Response.Redirect("/?errormessage=" + context.Exception.Message);
return Task.FromResult(0);
}
}
确保您已从服务器应用程序公开 api 并添加了客户端应用程序。
当您从客户端应用程序获取访问令牌时,请使用 api://{client_app_id}/.default
作为范围。
参考:
天哪。几个小时后,我找到了解决方案。我将此添加到我的 startup.auth:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = "https://xxxx.onmicrosoft.com/xxxx",
Tenant = tenantId
});
希望有一天这对其他人有所帮助。