在Azure Active Directory(AAD)中注册MicroServices以获取安全性 [英] Register MicroServices in Azure Active Directory (AAD) for Security

问题描述

我在Service Fabric群集中部署了Service Fabric应用程序(无状态和Statefull).我正在尝试在应用程序中实现安全性.该应用程序使用Active Directory身份验证库(ADAL)通过OAuth 2.0客户端凭据流从Azure AD获取令牌，其中客户端凭据是密码.通过在Azure门户中注册它们，我可以在普通的Web API应用程序中实现相同的方案.谁能告诉我如何使用Owin公开的WebApi注册服务结构微服务应用程序.我很难注册回复URL并在URL上签名，因为URL是动态的(对于statefull partitionid和副本ID).我在致电相应服务时收到未经授权的访问.在将应用程序添加到天蓝色的活动目录中时，我不确定为有状态或无状态应用程序必须注册的URL.您能建议我哪里错了，要怎么做.

I have a service fabric application (Stateless and Statefull) deployed in Service fabric cluster. I am trying to implement security in the applications. The application uses the Active Directory Authentication Library (ADAL) to get a token from Azure AD using the OAuth 2.0 client credential flow, where the client credential is a password. I am able to implement the same scenario in ordinary web api applications by registering them in Azure portal. Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id). I receive unauthorized access while calling the corresponding service. I am not sure of what url has to be registered for a statefull or stateless application when adding the application in in azure active directory. Could you please suggest me where I'm wrong and what to do to implement.

推荐答案

谁能告诉我如何在使用Owin公开的WebApi上注册服务结构微服务应用程序.我很难注册回复URL并在URL上签名，因为URL是动态的(对于statefull partitionid和副本ID).

Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id).

客户端凭证流用于服务或守护程序应用.当我们使用客户端凭据流来获取令牌时，无需使用redirect_url.您可以注册任何验证的redirect_url.这是一个使用客户端凭据的示例:

The client credential flow is used for the service or daemon app. There is not need to use the redirect_url when we use the client credential flow to acquire the token. You can register any validate redirect_url. Here is an example that using the client credential:

POST https://login.microsoftonline.com/<tenantId>/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=<app id uri of your web api >

使用Azure Service Fabric与带有Web API的Azure AD集成是相同的.这是一个供您参考的示例:

And it is same that to integrate with Azure AD with web API using Azure service fabric. Here is an example for your reference:

1.注册用于保护Azure门户上的Web API的Web应用(app1)

1 . register an web app(app1) which used to protect the web API on Azure portal

2.注册一个Web应用程序(app2)作为客户端以请求Web API

2 . register an web app(app2) as the client to request the web API

3.从门户授予app1到app2

3 . grant the the app1 to app2 from portal

4.使用无状态Web API 模板

5.配置Service Fabric应用程序的app.config

5 . config the app.config of Service Fabric application

<add key="ida:Audience" value="app id Uri of app1" />
<add key="ida:Tenant" value="tenantId" />

6.安装软件包Microsoft.Owin.Security.ActiveDirectory

Install-Package Microsoft.Owin.Security.ActiveDirectory

7.修改启动代码，如下所示:( 注意:方法 appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication 在 appBuilder.UseWebApi(config)之前.

7. modify the startup code like below:( Note: the method appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication is before appBuilder.UseWebApi(config).

public static void ConfigureApp(IAppBuilder appBuilder)
        {
            // Configure Web API for self-host. 
            HttpConfiguration config = new HttpConfiguration();

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );

            appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(
               new WindowsAzureActiveDirectoryBearerAuthenticationOptions
               {
                   Audience = ConfigurationManager.AppSettings["ida:Audience"],
                   Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                   TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                   {
                       ValidateIssuer = false
                   }
               });

            appBuilder.UseWebApi(config);
        }

1. 运行Service Fabric应用程序
2. 使用上述客户端凭据流程获取令牌(clientId和clientSecret来自app2)
3. 使用访问令牌通过Service Fabric应用程序请求服务公开，并且效果很好

这篇关于在Azure Active Directory(AAD)中注册MicroServices以获取安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！