dotnet Web API - MSAL ( Microsoft.Identity.Web ) 注册多个身份验证提供程序
dotnet Web API - MSAL ( Microsoft.Identity.Web ) register multiple authentication providers
我正在开发 Web API 并使用 Microsoft.Identity.Web 库来保护 APIs。
我有一个场景,不同的 APIs /控制器需要接受不同 Azure AD 应用程序注册颁发的令牌
目前,我有这样的事情:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api1"));
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.Build();
});
...
//Controller1
[Authorize]
[ApiController]
public class Controller1 : ControllerBase
{...}
在上面的示例中,我使用 Api1
配置部分为我的 Azure AD 应用程序注册提供 ClientID
/Tenant
/Audience
值。
我希望能够添加另一个授权“规则”(?),以便我可以将 Controller2 配置为接受来自第二个应用程序注册的令牌:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api1"));
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api2")); //this probably won't work as it will clobber the services instance?
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.Build();
});
...
//Controller1
[Authorize] --- With Api1 settings?
[ApiController]
public class Controller1 : ControllerBase
{...}
//Controller2
[Authorize] --- With Api2 settings?
[ApiController]
public class Controller2 : ControllerBase
{...}
为什么我需要使用 2 个不同的应用程序注册的要求超出了我的范围,无法更改。
目前,我通过创建 2 个 Web API 项目/应用程序解决了这个问题,但我真的很想尽可能地整合这些项目/应用程序。
因此,您确实可以注册多个身份验证配置文件,并且当您想要针对一个或另一个进行验证时,您可以使用 jwtBearerScheme
作为区分器。
对于身份验证,您可以为每个方案定义不同的身份验证要求,如下所示:
services.AddMicrosoftIdentityWebApiAuthentication(
Configuration.GetSection("Api1"),
jwtBearerScheme: "Api1Scheme"
);
services.AddMicrosoftIdentityWebApiAuthentication(
Configuration.GetSection("Api2"),
jwtBearerScheme: "Api2Scheme"
);
services.AddAuthorization(options =>
{
options.AddPolicy("Api2Policy", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Api2Scheme")
.RequireRole("SomeRole")
.Build());
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Api1Scheme")
.Build();
});
...
//Controller1
[Authorize] //Because ApiScheme1 is registered as the Default Authorization, no disambiguation needed here
[ApiController]
public class Controller1 : ControllerBase
{...}
//Controller2
[Authorize(AuthenticationSchemes = "Api2Scheme", Policy = "Api2Policy")]
[ApiController]
public class Controller2 : ControllerBase
{...}
我正在开发 Web API 并使用 Microsoft.Identity.Web 库来保护 APIs。
我有一个场景,不同的 APIs /控制器需要接受不同 Azure AD 应用程序注册颁发的令牌
目前,我有这样的事情:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api1"));
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.Build();
});
...
//Controller1
[Authorize]
[ApiController]
public class Controller1 : ControllerBase
{...}
在上面的示例中,我使用 Api1
配置部分为我的 Azure AD 应用程序注册提供 ClientID
/Tenant
/Audience
值。
我希望能够添加另一个授权“规则”(?),以便我可以将 Controller2 配置为接受来自第二个应用程序注册的令牌:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api1"));
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api2")); //this probably won't work as it will clobber the services instance?
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.Build();
});
...
//Controller1
[Authorize] --- With Api1 settings?
[ApiController]
public class Controller1 : ControllerBase
{...}
//Controller2
[Authorize] --- With Api2 settings?
[ApiController]
public class Controller2 : ControllerBase
{...}
为什么我需要使用 2 个不同的应用程序注册的要求超出了我的范围,无法更改。
目前,我通过创建 2 个 Web API 项目/应用程序解决了这个问题,但我真的很想尽可能地整合这些项目/应用程序。
因此,您确实可以注册多个身份验证配置文件,并且当您想要针对一个或另一个进行验证时,您可以使用 jwtBearerScheme
作为区分器。
对于身份验证,您可以为每个方案定义不同的身份验证要求,如下所示:
services.AddMicrosoftIdentityWebApiAuthentication(
Configuration.GetSection("Api1"),
jwtBearerScheme: "Api1Scheme"
);
services.AddMicrosoftIdentityWebApiAuthentication(
Configuration.GetSection("Api2"),
jwtBearerScheme: "Api2Scheme"
);
services.AddAuthorization(options =>
{
options.AddPolicy("Api2Policy", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Api2Scheme")
.RequireRole("SomeRole")
.Build());
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Api1Scheme")
.Build();
});
...
//Controller1
[Authorize] //Because ApiScheme1 is registered as the Default Authorization, no disambiguation needed here
[ApiController]
public class Controller1 : ControllerBase
{...}
//Controller2
[Authorize(AuthenticationSchemes = "Api2Scheme", Policy = "Api2Policy")]
[ApiController]
public class Controller2 : ControllerBase
{...}