Azure AD 2.0应用程序-无法从角度客户端访问范围 [英] Azure AD 2.0 application - can't access scope from angular client
问题描述
我正在尝试开发Angular 4应用程序和ASP.NET Core 2.0后端.我有角度应用程序(使用Angular-cli生成)和.net核心Web API(使用vs 2017模板生成). 在角度方面,我正在使用 angular-oauth2-oidc .我在应用程序配置中使用AzureAD 应用程序注册门户(应用程序注册为v2.0)注册了应用程序有两个平台Web和Web API. 在Web api平台中,定义了一个名为"api:///access_as_user"的范围,并且我的应用程序可以访问此范围.
I'm trying to develop Angular 4 application and ASP.NET Core 2.0 backend. I have angular application (generated using Angular-cli) and .net core web api (generated using vs 2017 template). On angular side I'm using angular-oauth2-oidc. I registered my application using AzureAD app registration portal (app s registered as v2.0) in the app configuration there is two platforms Web and Web API. In Web api platform there is defined scope named "api:///access_as_user" and my application is given access to this scope.
仅此而已.在.NET方面,有一个.AddJwtBearer()方法已配置了权限观众(clientId).
On angular side that's it. On .NET side there is .AddJwtBearer() method that has configured authority, audience (clientId).
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddCookie()
.AddJwtBearer(cfg =>
{
cfg.Authority = "https://login.microsoftonline.com/<tenantId>/v2.0";
cfg.Audience = "<clientId>";
//cfg.Configuration = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration();
cfg.TokenValidationParameters = new TokenValidationParameters()
{
ValidateAudience = false,
ValidIssuer = "https://login.microsoftonline.com/<tenantId>/v2.0"
};
});
当我尝试从客户端应用程序访问Web api时出现问题.如果我不以角度要求我的范围("api:///access_as_user"),则Web api将返回未经授权的401.我要求得到
The problem occurs when I tried to access my web api from client application. If I don't ask for my scope ("api:///access_as_user") in angular, web api return 401 unauthorized. I I ask for it I get
"AADSTS65005:The application 'Angular-test' asked for scope 'access_as_user' that doesn't exist on the resource. Contact the app vendor.
Trace+ID: c55338dd-35c8-429b-bfe1-5c48ac030d00
Correlation+ID: a0b4bc2d-7f15-4ca4-9cd5-4fe61999e4d9
Timestamp:+2017-10-24+10:35:56Z""
有人遇到相同/类似的问题吗?
Anyone has the same/simular issue?
Git存储库:
客户端->分支 oidc
推荐答案
我可以通过不使用自定义范围来调用Web api.以下是供您参考的步骤:
I am able to call the web api by not using the customize scope. Here are the steps for your reference:
1.使用如下所示的隐式流程获取令牌:
1.Acquire the token using the implicit flow like below:
GET: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&client_id=1e6af2ed-686c-4914-96ed-0cd7b1673cbb&scope=openid&redirect_uri=http%3A%2F%2Flocalhost&nonce=123
2.1 多租户:
使用上面的id_token调用.net核心Web API,以保护Azure AD V2.0应用程序,如以下代码所示:
Call the .net core web API using the id_token above which protect the Azure AD V2.0 app like code below:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "https://login.microsoftonline.com/common/v2.0/",
Audience = Configuration["Authentication:AzureAd:ClientId"],
Events = new JwtBearerEvents
{
OnAuthenticationFailed = AuthenticationFailed
},
TokenValidationParameters=new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer =false,
}
});
});
2.1 根据需要限制租户:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "https://login.microsoftonline.com/common/v2.0/",
Audience = Configuration["Authentication:AzureAd:ClientId"],
Events = new JwtBearerEvents
{
OnAuthenticationFailed = AuthenticationFailed
},
TokenValidationParameters=new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer =true,
ValidIssuers=new string[] { "list the allowed issues here","https://login.microsoftonline.com/xxxxxxxx-0e9b-42f8-8b22-3c4a2f1d8800/v2.0"}
}
});
您可以参考以下有关使用Azure AD V2.0应用程序保护Web api的代码示例.该代码示例适用于Azure AD B2C,我们可以修改其权限以使其适用于Azure AD V2.0应用程序.如果您仍有问题,请随时告诉我.
You can refer the code sample below about protecting the web api using Azure AD V2.0 app. The code sample is for Azure AD B2C, we can modify its authority to make it working for Azure AD V2.0 app. And please feel free to let me know if you still have the problem.
active-directory-b2c-dotnetcore-webapi
这篇关于Azure AD 2.0应用程序-无法从角度客户端访问范围的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
