Azure移动服务和Azure Web App身份验证 [英] Azure Mobile Service and Azure Web App authentication
问题描述
当用户通过Azure Web应用程序(ASP.NET MVC)和Xamarin.iOS应用程序登录时,我为同一用户获得两个不同的SID
I get two different SID for the same user when the user is logging in through a Azure Web App (ASP.NET MVC) and Xamarin.iOS app
设置
带有API控制器的Azure WebApp ASP.NET 5
Azure WebApp ASP.NET 5 with API Controllers
带有Microsoft.WindowsAzure.Mobile.Client SDK Azure B2C AAD的Xamarin iOS应用
Xamarin iOS App with Microsoft.WindowsAzure.Mobile.Client SDK Azure B2C AAD
网络用户
我得到的对象标识符值是AAD SID:
I get the ObjectIdentifier value that is the AAD SID:
var userClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
移动用户
我只得到一个Nameidentifier值而没有ObjectIdentifier
I get only a Nameidentifier value and no ObjectIdentifier
ClaimsPrincipal mobileUser = this.User as ClaimsPrincipal;
var mobileUserClaim = mobileUser.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier");
SID完全不同,用户从Mobile进行身份验证的SID获得SID:xxxx,而从Web获得的xxx获得
The SID is completely different, the SID for the user authenticate from Mobile get SID:xxxx while from Web gets xxx
我知道是否在身份验证时设置了一个Azure移动应用程序和一个Azure Web应用程序,所以SID是相同的.但是我不想为我的应用程序的大小(小)管理两个站点.该应用程序的目的是让一个简单的Web应用程序在电话上执行某些操作和相同的操作,在电话中,我使用Azure移动服务SDK,而InvokeAPIAsync在Web应用程序中使用API控制器.
I know if I setup one Azure Mobile App and one Azure Web App the SID is the same when authenticating. But I dont want to manage two sites for the size (small) of my App. The purpose of the App is to have a Simple Web App to perform some actions and the same actions on the Phone, from the Phone I use the Azure Mobile Service SDK and InvokeAPIAsync to use the API controller in the Web App.
谢谢
推荐答案
我想澄清一下情况. 您正在观察两个SID:
I want to clarify the situation. You are observing two SIDs:
1)通过AAD,通过网络浏览器登录AAD.
1) From AAD, by logging into AAD via web browser.
2)来自Azure应用服务(Web应用和移动应用),可能是由于使用了来自客户端的LoginAsync.此方法将调用服务器控制的登录流.
2) From Azure App Service (Web App and Mobile App), likely from using LoginAsync from our client. This method would invoke the server-directed login flow.
这是设计使然. MobileServiceClient获取App Service令牌,并使用该令牌向您的Mobile App进行身份验证.您可以通过对.auth/me端点进行GET,将从Azure App Service获得的auth令牌交换为AAD SID.
This is by design. MobileServiceClient gets App Service tokens, and authenticates with your Mobile App with that token. You can exchange the auth token you get from Azure App Service for the AAD SID by making a GET to the .auth/me endpoint.
在通过App Service和AAD对客户端进行身份验证之后,您可以通过调用yoursite.azurewebsites.net/.auth/me并解析索赔的响应来获取有关AAD用户(或任何身份提供者)的更多信息.想要:
After your client is authenticated with App Service and AAD, you can get more information about the AAD user (or whatever identity provider) by calling yoursite.azurewebsites.net/.auth/me, and parsing the response for the claim you want:
({"typ":" http://schemas.microsoft.com/identity/claims/objectidentifier ).
({"typ" : "http://schemas.microsoft.com/identity/claims/objectidentifier").
另一种策略是使用ADAL( http://www.nuget .org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)从AAD登录,然后使用AAD访问令牌通过适当的LoginAsync重载获取Mobile App令牌:
Another strategy would be to use ADAL (http://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) from your client app to login with AAD, and then use the AAD access token to get a Mobile App token using the appropriate LoginAsync overload:
您添加的参数的格式应为{"access_token":"[[AAD access_token值]"}
The parameters you add should be in format {"access_token":"[AAD access_token value]"}
.NET服务器上有关用户ID的布雷特·桑布拉内特(Brett Samblanet)Wiki应有助于了解正在发生的情况: https://github.com/Azure/azure -mobile-apps-net-server/wiki/了解用户ID
Brett Samblanet's wiki on the .NET Server about User IDs should help understand what is going on: https://github.com/Azure/azure-mobile-apps-net-server/wiki/Understanding-User-Ids
这篇关于Azure移动服务和Azure Web App身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
