带有Azure App Service身份验证的.NET Core应用 [英] .NET Core app with Azure App Service Authentication

查看:173
本文介绍了带有Azure App Service身份验证的.NET Core应用的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的Web应用程序是使用.NET Core开发的,并已部署在Azure中.我已启用Azure App Service身份验证并将其配置为使用Azure Active Directory. 当我访问webapp时,我确实被重定向到正确的登录页面. 登录后,我可以浏览到端点.auth/me并查看存在针对我的用户的声明.我还可以验证以下请求标头是否存在值:

My webapp is developed with .NET Core and deployed in Azure. I have enabled Azure App Service Authentication and configured it to use Azure Active Directory. When I access the webapp I do get redirected to the correct login-page. After I login I can browse to the endpoint .auth/me and see that claims exists for my user. I can also verify that the request headers below exists with values:

  • X-MS-令牌-AAD-ID-令牌
  • X-MS-令牌-AAD-访问令牌
  • X-MS-令牌-AAD-EXPIRES-ON
  • X-MS-令牌-AAD-刷新令牌

但是我无法在控制器中检索这些声明. 使用User.Identity.isAuthenticated始终为false,而User.Identity.Claims为空.

But I'm not able to retrieve these claims in my controller. Using User.Identity.isAuthenticated is always false and User.Identity.Claims is empty.

如何使用户通过身份验证并检索声明?

How can I make the user authenticated and retrieve the claims?

从理论上讲,我可以检查请求标头(X-MS-TOKEN-AAD-ID-TOKEN)是否存在,然后检索端点.auth/me上存在的声明,但这似乎并不像正确的方法?

In theory I could maybe check if the request-header(X-MS-TOKEN-AAD-ID-TOKEN) exist and then retrieve the claims that exists on the endpoint .auth/me but that doesn't really seems like the correct way to go?

我是否在这里讨论的同一问题上绊倒了? (使用EasyAuth对AAD进行身份验证时,无法填入ClaimsPrincipal在Asp.Net Core Web应用程序中的Azure App Service上)

Am I stumbling on the same issue that is discussed here maybe? (Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app)

推荐答案

App Service通过使用特殊的标头将一些用户信息传递给您的应用程序.外部请求禁止这些标头,并且仅在由App Service身份验证/授权设置的情况下才会出现.一些示例标头包括:

App Service passes some user information to your application by using special headers. External requests prohibit these headers and will only be present if set by App Service Authentication / Authorization. Some example headers include:

  • X-MS-CLIENT-PRINCIPAL-NAME
  • X-MS-CLIENT-PRINCIPAL-ID
  • X-MS-令牌-FACEBOOK-访问令牌
  • X-MS-TOKEN-FACEBOOK-EXPIRES-ON
  • X-MS-CLIENT-PRINCIPAL-NAME
  • X-MS-CLIENT-PRINCIPAL-ID
  • X-MS-TOKEN-FACEBOOK-ACCESS-TOKEN
  • X-MS-TOKEN-FACEBOOK-EXPIRES-ON

以任何语言或框架编写的代码都可以从这些标头中获取所需的信息.对于ASP.NET 4.6应用, ClaimsPrincipal 会自动设置为适当的值.

Code that is written in any language or framework can get the information that it needs from these headers. For ASP.NET 4.6 apps, the ClaimsPrincipal is automatically set with the appropriate values.

我们的应用程序还可以通过应用程序/.auth/me端点上的HTTP GET获取其他用户详细信息.请求中包含的有效令牌将返回JSON有效负载,其中包含有关正在使用的提供程序,基础提供程序令牌以及其他一些用户信息的详细信息.

our application can also obtain additional user details through an HTTP GET on the /.auth/me endpoint of your application. A valid token that's included with the request will return a JSON payload with details about the provider that's being used, the underlying provider token, and some other user information.

正如Chris Gillum所建议的那样,您可以调用/.auth/me端点并检索用户声明.您可以编写自定义中间件来检查X-MS-CLIENT-PRINCIPAL-ID标头并调用/.auth/me端点并手动设置用户声明.这是详细的代码示例,您可以参考此类似的问题.

As Chris Gillum suggested that you could invoke the /.auth/me endpoint and retrieve the user claims. You could write your custom middleware to check the X-MS-CLIENT-PRINCIPAL-ID header and invoke the /.auth/me endpoint and set the user claims manually. Here is the detailed code sample, you could refer to this similar issue.

此外,您可以修改应用程序并显式添加身份验证中间件,而不用使用evilSnobu评论的应用程序服务身份验证/授权(EasyAuth)".对于这种方法,您可以使用ASP.Net Core OpenID Connect中间件,有关详细信息,请按照以下教程进行操作:

Moreover, you could modify your application and explicitly add authentication middleware instead of using App Service Authentication / Authorization (EasyAuth) as evilSnobu commented. For this approach, you could use the ASP.Net Core OpenID Connect middleware, details you could follow the tutorials below:

集成Azure AD(v2.0终结点)进入ASP.NET Core Web应用程序

将Azure AD集成到ASP.NET Core Web应用程序中

这篇关于带有Azure App Service身份验证的.NET Core应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆