将不记名令牌写入 Javascript
Writing Bearer Token to Javascript
我正在尝试进行概念验证。我正在使用 Azure Active Directory 并尝试在遗留项目中实施 OAuth。
本项目一半使用Web Forms,另一半直接通过javascript调用另一个项目中的WebAPI。
作为测试,我通过 UseOpenIdConnectAuthentication 的 AuthorizationCodeReceived 通知事件获取 Bearer Token。我快速将令牌写入使用以下代码调用 WebAPI 的页面:
$.ajax({
url: baseVotingHeaderURL,
type: 'GET',
dataType: "json",
beforeSend: function(xhr){
xhr.setRequestHeader('Authorization', 'Bearer ' + XXXXXXXXXXXXXXXXX);
},
success: function(result) {
options.success(result);
},
error: function(err) {
options.error(err);
}
});
我可以在 Fiddler 中看到正在传递令牌:
不存在 Proxy-Authorization Header。
授权 Header 存在:Bearer XXXXXXXXXXXXXXXX(我显然已将令牌替换为 X)
我仍然收到未经授权的 401。
为什么这不起作用?
下面是来自Startup.Auth.cs
的代码
app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType );
app.UseCookieAuthentication( new CookieAuthenticationOptions( ) );
app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = "XXXXXX.onmicrosoft.com",
AuthenticationType = "OAuth2Bearer",
TokenValidationParameters = new TokenValidationParameters( )
{
ValidAudience = "https://XXXX.onmicrosoft.com/XXXXX"
}
} );
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
Authority = "https://login.microsoftonline.com/XXXXX.onmicrosoft.com",
PostLogoutRedirectUri = "https://XXXXXXX/gbl/Home.aspx",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse( );
context.Response.Redirect( "/Error?message=" + context.Exception.Message );
return Task.FromResult( 0 );
},
AuthorizationCodeReceived = context =>
{
var client = ClientId;
var key = "XXXXXXXXXXXXXXXXXXX=";
var credential = new ClientCredential( client, key );
var authority = String.Format( CultureInfo.InvariantCulture, @"https://login.microsoftonline.com/{0}", "XXXXX.onmicrosoft.com" );
var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext( authority );
Uri redirectUri = new Uri( HttpContext.Current.Request.Url.GetLeftPart( UriPartial.Path ) );
var apiResourceId = "https://graph.windows.net";
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
context.Code, redirectUri, credential, apiResourceId );
EndpointAndTokenHelper.DecodeAndWrite( result.AccessToken );
System.Diagnostics.Debug.WriteLine( result.AccessToken );
return Task.FromResult( 0 );
}
}
} );
}
我是在逐字逐句地学习这些例子。但是,authContext.AquireTokenByAuthorizationCode 中的最后一个参数应该是我的 WebAPI 资源而不是 https://graph.windows.net。
我不知道为什么示例使用 https://graph.windows.net。
我正在尝试进行概念验证。我正在使用 Azure Active Directory 并尝试在遗留项目中实施 OAuth。
本项目一半使用Web Forms,另一半直接通过javascript调用另一个项目中的WebAPI。
作为测试,我通过 UseOpenIdConnectAuthentication 的 AuthorizationCodeReceived 通知事件获取 Bearer Token。我快速将令牌写入使用以下代码调用 WebAPI 的页面:
$.ajax({
url: baseVotingHeaderURL,
type: 'GET',
dataType: "json",
beforeSend: function(xhr){
xhr.setRequestHeader('Authorization', 'Bearer ' + XXXXXXXXXXXXXXXXX);
},
success: function(result) {
options.success(result);
},
error: function(err) {
options.error(err);
}
});
我可以在 Fiddler 中看到正在传递令牌:
不存在 Proxy-Authorization Header。 授权 Header 存在:Bearer XXXXXXXXXXXXXXXX(我显然已将令牌替换为 X)
我仍然收到未经授权的 401。
为什么这不起作用?
下面是来自Startup.Auth.cs
的代码app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType );
app.UseCookieAuthentication( new CookieAuthenticationOptions( ) );
app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = "XXXXXX.onmicrosoft.com",
AuthenticationType = "OAuth2Bearer",
TokenValidationParameters = new TokenValidationParameters( )
{
ValidAudience = "https://XXXX.onmicrosoft.com/XXXXX"
}
} );
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
Authority = "https://login.microsoftonline.com/XXXXX.onmicrosoft.com",
PostLogoutRedirectUri = "https://XXXXXXX/gbl/Home.aspx",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse( );
context.Response.Redirect( "/Error?message=" + context.Exception.Message );
return Task.FromResult( 0 );
},
AuthorizationCodeReceived = context =>
{
var client = ClientId;
var key = "XXXXXXXXXXXXXXXXXXX=";
var credential = new ClientCredential( client, key );
var authority = String.Format( CultureInfo.InvariantCulture, @"https://login.microsoftonline.com/{0}", "XXXXX.onmicrosoft.com" );
var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext( authority );
Uri redirectUri = new Uri( HttpContext.Current.Request.Url.GetLeftPart( UriPartial.Path ) );
var apiResourceId = "https://graph.windows.net";
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
context.Code, redirectUri, credential, apiResourceId );
EndpointAndTokenHelper.DecodeAndWrite( result.AccessToken );
System.Diagnostics.Debug.WriteLine( result.AccessToken );
return Task.FromResult( 0 );
}
}
} );
}
我是在逐字逐句地学习这些例子。但是,authContext.AquireTokenByAuthorizationCode 中的最后一个参数应该是我的 WebAPI 资源而不是 https://graph.windows.net。
我不知道为什么示例使用 https://graph.windows.net。