Azure AD服务器身份验证，没有查看目录的权限 [英] Azure AD server authentication, No permission to view directory

问题描述

我创建了一个Xamarin.Forms项目和一个Table API项目.两者都是通过Azure门户中的快速入门"菜单创建的.

I have created a Xamarin.Forms project and a Table API project. Both have been created through the QuickStart menu in Azure Portal.

我已经在门户中配置了Azure AD，并且可以通过XForms应用程序从AD成功检索令牌.但是，当我尝试从MobileServiceClient使用LoginAsync方法登录到Table API时，会收到您没有查看til目录或页面的权限."

I have configured an Azure AD in my portal and I can successfully retrieve a token from the AD through my XForms app. But when I try to login to the Table API using the LoginAsync method from the MobileServiceClient, I receive a "You do not have permission to view til directory or page."

我一直在浏览以下指南，但没有运气.

I have been looking through the following guides but with no luck.

向您的Xamarin.Forms应用添加身份验证

我也查看了以下问题，但没有找到解决方法.

I have also look at the following question but didn't find a solution.

Cordova AAD服务器流身份验证在Android和iOS

我想我可能在Table API项目上缺少某些特定的身份验证吗?

这是我的代码和设置:

XFORMS中的PCL项目

var ar = await authContext.AcquireTokenAsync(Constants.GraphResourceUri, Constants.ClientId, userCredintials);

            JObject payload = new JObject();
            payload["access_token"] = ar.AccessToken;

            var client = new MobileServiceClient(Constants.ApplicationUrl);
            var user = await client.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory, payload);

Constants.ClientID是本机客户端应用程序的ClientId，而不是Web服务器.如果我将其切换，我会得到404.

The Constants.ClientID is the ClientId of the Native Client app and not the webserver. If I switch it around I get a 404.

TABLE API项目中的控制器示例

[Authorize]
public class StatisticController : ApiController

TABLE API StartUp.cs配置

public void Configuration(IAppBuilder app)
    {
        app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions());
        ConfigureMobileApp(app);
    }

移动服务授权设置

单次启用广告设置

本地客户端应用设置

编辑

我可以使用以下设置通过PostMan复制错误:

I can duplicate the error through PostMan with the following setup:

我试图在access_token的值中包含"X-ZUMO-AUTH"标头，但结果相同.仍然没有许可.我还尝试排除POST请求中的每个标头，但不进行任何更改. 这是否意味着不允许来自我的移动应用或Postmand的POST请求?

I tried to include a "X-ZUMO-AUTH" header with the value of the access_token but with the same result. Still no permission. I also tried to exclude every header in the POST request but with no changes. Does this mean that POST requests from my mobile app or Postmand is not allowed?

如果我在浏览器中手动浏览到mysite.azurewebsites.net/.auth/login/aad，则可以从我的广告用户登录.因此，看来AD与服务正确通信，反之亦然.

If I manually browse to mysite.azurewebsites.net/.auth/login/aad in a browser, then I can log in with the users from my AD. So it seems that the AD is communicating correctly with the service and vise versa.

已修复

非常感谢 mattchenderson ！正如他建议的那样，我应该将常量GraphResourceUri更改为我的服务的客户端ID，而不是普通的图API.除了添加客户端的单个实例，我现在可以成功登录我的服务.

Great thanks to mattchenderson! As he suggests I should change the constant GraphResourceUri to the client id of my service instead of the normal graph api. Along with adding a single instance of the client I can now successfully log in to my service.

推荐答案

POST请求是允许的，我一直使用Postman进行测试.

POST requests are allowed, and I use Postman all the time for testing.

此类问题的最常见原因是受众验证问题.受众是AAD令牌的属性，该属性说明此令牌对哪些资源有效.给定上面的代码，我希望观众等于Constants.GraphResourceUri.我的猜测是，这实际上是图形API，而不是您的应用程序，这会导致验证失败，尽管我希望在调用LoginAsync()时会发生这种情况.我建议改用Web应用程序客户端ID(这是移动服务授权设置"屏幕截图中的客户端ID).

The most common cause of an issue like this is an audience validation issue. The audience is a property of the AAD token which says for what resource is this token valid. Given the code above, I would expect the audience to be equal to Constants.GraphResourceUri. My guess is that this is actually the graph API, and not your application, and that would cause a validation failure, although I would expect it to happen when you call LoginAsync(). I would suggest trying the web application client ID instead (that's the Client ID from the "MOBILE SERVICE AUTH SETUP" screenshot).

为了便于调试，您可以将AAD令牌带到 http://jwt.io 之类的位置，然后这将帮助您查看令牌属性. "aud"应与门户中注册的应用程序的客户机ID相同，并且您还希望发卡行字段匹配.确保令牌也未过期.

For an easier time debugging, you can take your AAD token to something like http://jwt.io, and that will help you see the token properties. "aud" is expected to the same as the client ID of the application as registered in the portal, and you want the issuer fields to match up as well. Make sure the token is not expired either.

使用令牌访问受保护的API时，有两种方法提供令牌:

When using the token to access protected APIs, there are two ways to provide it:

1. 在请求的X-ZUMO-AUTH标头中使用作为LoginAsync()的一部分返回的令牌. SDK会使用相同的MobileServiceClient自动为表操作完成此操作.
2. 根据承载令牌规范直接使用AAD令牌.也就是说，将其包含在Authorization标头中，其值为"Bearer"，并用您的值替换令牌.

1. Use the token returned as part of LoginAsync() in the X-ZUMO-AUTH header of your request. This will automatically be done by the SDK for table operations using the same MobileServiceClient.
2. Use the AAD token directly according to the bearer token spec. That is, include it in the Authorization header, with the value "Bearer ", replacing token with your value.

此外，我在您的代码中看到您正在为登录操作创建一个新的MobileServiceClient.我们通常不建议这样做，因为登录信息附加到MobileServiceClient对象.如果您没有对此的引用，则会丢失登录信息(以及其他一些设置)，并且这些信息将不会应用于您的表操作.建议使用在其他地方引用的单个实例-例如，在Xamarin中，共享代码中的静态变量.

Also, I see in your code that you are creating a new MobileServiceClient for the login operation. This is something we generally discourage, as the login information is attached to the MobileServiceClient object. If you lose a reference to that, you lose the login information (and a few other settings), and they won't be applied to your table operations. The recommendation is to use a single instance that is referenced elsewhere - for example, in Xamarin, a static variable within your shared code.

这篇关于Azure AD服务器身份验证，没有查看目录的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！