在Azure Active Directory(AAD)中注册MicroServices以获取安全性 [英] Register MicroServices in Azure Active Directory (AAD) for Security
问题描述
我在Service Fabric群集中部署了Service Fabric应用程序(无状态和Statefull).我正在尝试在应用程序中实现安全性.该应用程序使用Active Directory身份验证库(ADAL)通过OAuth 2.0客户端凭据流从Azure AD获取令牌,其中客户端凭据是密码.通过在Azure门户中注册它们,我可以在普通的Web API应用程序中实现相同的方案.谁能告诉我如何使用Owin公开的WebApi注册服务结构微服务应用程序.我很难注册回复URL并在URL上签名,因为URL是动态的(对于statefull partitionid和副本ID).我在致电相应服务时收到未经授权的访问.在将应用程序添加到天蓝色的活动目录中时,我不确定为有状态或无状态应用程序必须注册的URL.您能建议我哪里错了,要怎么做.
I have a service fabric application (Stateless and Statefull) deployed in Service fabric cluster. I am trying to implement security in the applications. The application uses the Active Directory Authentication Library (ADAL) to get a token from Azure AD using the OAuth 2.0 client credential flow, where the client credential is a password. I am able to implement the same scenario in ordinary web api applications by registering them in Azure portal. Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id). I receive unauthorized access while calling the corresponding service. I am not sure of what url has to be registered for a statefull or stateless application when adding the application in in azure active directory. Could you please suggest me where I'm wrong and what to do to implement.
推荐答案
谁能告诉我如何在使用Owin公开的WebApi上注册服务结构微服务应用程序.我很难注册回复URL并在URL上签名,因为URL是动态的(对于statefull partitionid和副本ID).
Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id).
客户端凭证流用于服务或守护程序应用.当我们使用客户端凭据流来获取令牌时,无需使用redirect_url.您可以注册任何验证的redirect_url.这是一个使用客户端凭据的示例:
The client credential flow is used for the service or daemon app. There is not need to use the redirect_url when we use the client credential flow to acquire the token. You can register any validate redirect_url. Here is an example that using the client credential:
POST https://login.microsoftonline.com/<tenantId>/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=<app id uri of your web api >
使用Azure Service Fabric与带有Web API的Azure AD集成是相同的.这是一个供您参考的示例:
And it is same that to integrate with Azure AD with web API using Azure service fabric. Here is an example for your reference:
1.注册用于保护Azure门户上的Web API的Web应用(app1)
1 . register an web app(app1) which used to protect the web API on Azure portal
2.注册一个Web应用程序(app2)作为客户端以请求Web API
2 . register an web app(app2) as the client to request the web API
3.从门户授予app1到app2
3 . grant the the app1 to app2 from portal
4.使用无状态Web API 模板
5.配置Service Fabric应用程序的app.config
5 . config the app.config of Service Fabric application
<add key="ida:Audience" value="app id Uri of app1" />
<add key="ida:Tenant" value="tenantId" />
6.安装软件包Microsoft.Owin.Security.ActiveDirectory
Install-Package Microsoft.Owin.Security.ActiveDirectory
7.修改启动代码,如下所示:( 注意:方法 appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication
在 appBuilder.UseWebApi(config)
之前.
7. modify the startup code like below:( Note: the method appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication
is before appBuilder.UseWebApi(config)
.
public static void ConfigureApp(IAppBuilder appBuilder)
{
// Configure Web API for self-host.
HttpConfiguration config = new HttpConfiguration();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = false
}
});
appBuilder.UseWebApi(config);
}
- 运行Service Fabric应用程序
- 使用上述客户端凭据流程获取令牌(clientId和clientSecret来自app2)
- 使用访问令牌通过Service Fabric应用程序请求服务公开,并且效果很好
这篇关于在Azure Active Directory(AAD)中注册MicroServices以获取安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!