具有 Azure 应用服务身份验证的 .NET Core 应用 [英] .NET Core app with Azure App Service Authentication
问题描述
我的 webapp 使用 .NET Core 开发并部署在 Azure 中.我已启用 Azure 应用服务身份验证并将其配置为使用 Azure Active Directory.当我访问 web 应用程序时,我会被重定向到正确的登录页面.登录后,我可以浏览到端点 .auth/me 并查看我的用户存在的声明.我还可以验证以下请求标头是否存在值:
My webapp is developed with .NET Core and deployed in Azure. I have enabled Azure App Service Authentication and configured it to use Azure Active Directory. When I access the webapp I do get redirected to the correct login-page. After I login I can browse to the endpoint .auth/me and see that claims exists for my user. I can also verify that the request headers below exists with values:
- X-MS-TOKEN-AAD-ID-TOKEN
- X-MS-TOKEN-AAD-ACCESS-TOKEN
- X-MS-TOKEN-AAD-EXPIRES-ON
- X-MS-TOKEN-AAD-REFRESH-TOKEN
但我无法在我的控制器中检索这些声明.使用 User.Identity.isAuthenticated 始终为 false,并且 User.Identity.Claims 为空.
But I'm not able to retrieve these claims in my controller. Using User.Identity.isAuthenticated is always false and User.Identity.Claims is empty.
如何使用户通过身份验证并检索声明?
How can I make the user authenticated and retrieve the claims?
理论上,我可以检查请求标头(X-MS-TOKEN-AAD-ID-TOKEN)是否存在,然后检索端点 .auth/me 上存在的声明,但这看起来并不像正确的方法是什么?
In theory I could maybe check if the request-header(X-MS-TOKEN-AAD-ID-TOKEN) exist and then retrieve the claims that exists on the endpoint .auth/me but that doesn't really seems like the correct way to go?
我可能在此处讨论的同一问题上绊倒了吗?(使用 EasyAuth 对 AAD 进行身份验证时无法填充 ClaimsPrincipal在 Asp.Net Core Web 应用中的 Azure 应用服务上)
Am I stumbling on the same issue that is discussed here maybe? (Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app)
推荐答案
As 在您的应用程序中使用用户身份 状态:
应用服务通过使用特殊标头将一些用户信息传递给您的应用程序.外部请求禁止这些标头,并且仅在应用服务身份验证/授权设置时才会出现.一些示例标题包括:
App Service passes some user information to your application by using special headers. External requests prohibit these headers and will only be present if set by App Service Authentication / Authorization. Some example headers include:
- X-MS-CLIENT-PRINCIPAL-NAME
- X-MS-CLIENT-PRINCIPAL-ID
- X-MS-TOKEN-FACEBOOK-ACCESS-TOKEN
- X-MS-TOKEN-FACEBOOK-EXPIRES-ON
以任何语言或框架编写的代码都可以从这些标头中获取所需的信息.对于 ASP.NET 4.6 应用程序,ClaimsPrincipal 会自动设置为适当的值.
Code that is written in any language or framework can get the information that it needs from these headers. For ASP.NET 4.6 apps, the ClaimsPrincipal is automatically set with the appropriate values.
我们的应用程序还可以通过您应用程序的 /.auth/me 端点上的 HTTP GET 获取其他用户详细信息.请求中包含的有效令牌将返回 JSON 有效负载,其中包含有关正在使用的提供程序、底层提供程序令牌和一些其他用户信息的详细信息.
our application can also obtain additional user details through an HTTP GET on the /.auth/me endpoint of your application. A valid token that's included with the request will return a JSON payload with details about the provider that's being used, the underlying provider token, and some other user information.
正如 Chris Gillum 建议的那样,您可以调用 /.auth/me 端点并检索用户声明.您可以编写自定义中间件来检查 X-MS-CLIENT-PRINCIPAL-ID 标头并调用 /.auth/me 端点并手动设置用户声明.这是详细的代码示例,您可以参考这个类似的问题.
As Chris Gillum suggested that you could invoke the /.auth/me endpoint and retrieve the user claims. You could write your custom middleware to check the X-MS-CLIENT-PRINCIPAL-ID header and invoke the /.auth/me endpoint and set the user claims manually. Here is the detailed code sample, you could refer to this similar issue.
此外,您可以修改您的应用程序并显式添加身份验证中间件,而不是像 evilSnobu 评论的那样使用应用服务身份验证/授权 (EasyAuth).对于这种方法,您可以使用 ASP.Net Core OpenID Connect 中间件,详细信息您可以按照以下教程进行操作:
Moreover, you could modify your application and explicitly add authentication middleware instead of using App Service Authentication / Authorization (EasyAuth) as evilSnobu commented. For this approach, you could use the ASP.Net Core OpenID Connect middleware, details you could follow the tutorials below:
集成 Azure AD(v2.0 端点)进入 ASP.NET Core Web 应用程序
将 Azure AD 集成到 ASP.NET Core Web 应用中
这篇关于具有 Azure 应用服务身份验证的 .NET Core 应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
