我创建了一个使用 Azure AD 作为标识的 .NET 核心 Web 应用程序.这一切都按预期正常工作,并且我使用 [Authroize] 装饰的任何东西都受到保护.
我现在想要确保我的一个 API 控制器可以从外部服务访问.
我遵循了解释服务服务身份验证的本教程.
一些额外的点
感谢任何帮助!
我设法尝试了 Daemon .NET 4.5 应用程序,它使用 UseWindowsAzureActiveDirectoryBearerToken 完美运行
守护进程服务在 .NET 4.5 上提供身份验证服务p>
但是在我的 .NET Core 应用程序中,该中间件不可用,因此我尝试使用 JwtBearer 中间件,但仍然收到登录提示.
app.UseJwtBearerAuthentication(new JwtBearerOptions{观众 = "https://localhost:44392",授权 = "https://login.microsoftonline.com/{TENANTNAME}.onmicrosoft.com"});
如您所见,我只在 BearerOptions 中设置了 2 个属性,但我相信它们应该足以 [Authorize] 我的 API 端点.
POST https://login.microsoftonline.com/{CLIENTID}/oauth2/token
首先获取token时token点不正确,我们应该使用tenantId
而不是clientId
.
为了解决这个问题,我建议您从 this site 解码 access_token 以查看 aud
声明与您在 Web API 项目中配置的 Audience
相同.
Ive created a .NET core web app which is using Azure AD for the identity. This is all working fine as expected and anything I decorate using [Authroize] is protected.
I am now wanting to secure one of my API controllers to be accessible from an external service.
I followed this tutorial which explains service-service authentication.
Service to service auth with Azure AD
Using this I have managed to request a token
POST https://login.microsoftonline.com/{TENANTID}/oauth2/token
grant_type=client_credentials
&client_id={CLIENTID}
&client_secret={CLIENTSECRET}
&resource=https%3A%2F%mydirectory.onmicrosoft.com/myappname
Running this with postman, I get the Bearer access_token so looks good.
Now if I call my web app in Postman with this bearer token on the header,
GET https://localhost:44392/api/booking
Authorization Bearer {access_token}
I get a HTML response from one the Microsoft dialogues. So it seems it is just going into the redirect loop, so I am now confused on whether I have a configuration problem in the token request, or whether my web app needs to be setup in a different way. The article here mentions something about permissions in the manifest file, but I am confused why this would be necessary?
enter link description here
Some additional points
Any assistance appreciated!
I managed to try the Daemon .NET 4.5 app and this worked flawlessly using the UseWindowsAzureActiveDirectoryBearerToken
Daemon Service to service auth on .NET 4.5
However in my .NET Core app, this middleware isn't available so I tried using JwtBearer middleware but I still get the login prompt.
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Audience = "https://localhost:44392",
Authority = "https://login.microsoftonline.com/{TENANTNAME}.onmicrosoft.com"
});
As you can see, I have only set 2 properties in the BearerOptions but I believe they should have been enough to [Authorize] my API endpoint.
POST https://login.microsoftonline.com/{CLIENTID}/oauth2/token
First the token point is incorrect when you acquire the token, we should use tenantId
instead of clientId
.
And to troubleshoot this issue, I suggest that you decode the access_token from this site to see whether the aud
claim in the token is same as Audience
you config in the web API project.
这篇关于使用 Azure AD 和 WebAPI 的服务到服务身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持html5模板网!