使用asp.net身份进行授权的Azure AD身份验证 [英] Azure AD authentication with asp.net Identity for authorisation

问题描述

我试图在整个Internet上寻找，但看不到如何实现我所要求的.这是我的企业应用程序，它使用Asp.net Identity进行基于表单的身份验证.我扩展了用户和角色以及组以在我的代码中提供授权. (注意:不使用任何组/角色指令).

I tried to look for all over internet but couldn't see how I can achieve what I was asked to. Here is my enterprise app which uses Asp.net Identity for form based authentication. I had extended User and Role along with Groups to provide authorization in my code. (note: not using any group/role directives).

现在，我被要求研究更改代码以适应Azure Active Directory身份验证的可能性.我尝试阅读有关如何注册应用程序，将用户发送到Azure站点进行身份验证，取回令牌等的内容.但是，我被困在之后会怎样?"我已通过身份验证的用户如何使用用户存储在sql数据库中的现有Asp.net身份模型.如何使用此令牌来关联现有用户.

Now I was asked to look at possibility of changing code to accommodate Azure Active Directory authentication. I tried reading on how you can register app, send user to Azure site for authentication, get back token etc. However I'm stuck at 'what-afterwards?' I have authenticated user How can I use my existing Asp.net Identity model where user was stored in sql database. How to use this token to relate the existing user.

此外，当我更改项目以允许Azure AD时，它会删除Aspnet.Identity程序包，因为它与Azure AD不兼容！

Moreover, when I change my project to allow Azure AD, it removes Aspnet.Identity package as its not compatible with Azure AD !!

我什至尝试手动将两个程序包并排放置，我指出了将用户发送到Azure上进行身份验证的位置，转回到主页，然后以永无止境的方式再次登录Azure AD.

I even tried manually keeping both packages side by side, I got to point where user is sent to authenticate on Azure, diverted back to home page and again to login on Azure AD in never ending loop.

总结问题，即如何从AAD对用户进行身份验证并继续使用现有的角色和组授权.

to summarize the question, How can I authenticate user from AAD and keep using existing Roles and groups authorization.

修改: 我尝试创建单独的Web服务，该服务将对用户进行身份验证并发送JWT令牌.可以找到是否直接在浏览器上调用它的方法，但是，当我尝试从Web应用程序调用此服务时，出现奇怪的错误

I tried creating separate web service which will authenticate user and send JWT token. which works find if I call it directly on browser, however, when I tried to call this service from my web app I get weird error

 Application with identifier 'a2d2---------------' was not found in the directory azurewebsites.net

奇怪的是，目录名称是'azurewebsites.net'，而不是我使用的默认目录.

Weird part here is name of directory is 'azurewebsites.net' and not the default directory I'm using.

更新 这是引发错误的代码

Update Here is code which throws error

public async Task<ActionResult> Login(string returnUrl)
        {


            try
            {

                // get the access token
                AuthenticationContext authContext = new AuthenticationContext(authority, new TokenCache());

                var clientCredential = new ClientCredential(clientId, password);
//Error on below line
                AuthenticationResult result = await authContext.AcquireTokenAsync(resourceId, clientCredential);


                // give it to the server to get a JWT
                HttpClient httpClient = new HttpClient();
                httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
......

推荐答案

我遇到了类似的问题，因此我创建了一个Office 365 owin安全插件.我在github上共享了代码.它基于Codeplex上的 katana项目.

I had a similar issue so I created an Office 365 owin security plugin. I shared the code on github. It's based on the katana project at codeplex.

您可以在 https://github.com/chadwjames/wakizashi 中找到源代码.

You can find the source code at https://github.com/chadwjames/wakizashi.

您将需要在此处注册您的应用程序.注册应用程序时，将回叫uri设置为 https://yourdomain/signin-office365

You will need to register your application here. When registering the application set the call back uri to https://yourdomain/signin-office365

应用程序ID是您的客户ID，密码是您的客户机密.

The Application ID is your Client Id and the Password is your Client Secret.

注册后，您可以修改Startup.Auth.cs并将类似的内容添加到ConfigureAuth方法中.

Once you have it registered you can modify the Startup.Auth.cs and add something like this to the ConfigureAuth method.

        //setup office 365
        var office365Options = new Office365AuthenticationOptions
        {
            ClientId = ConfigurationManager.AppSettings["ada:ClientId"],
            ClientSecret = ConfigurationManager.AppSettings["ada:ClientSecret"],
            Provider = new Office365AuthenticationProvider
            {
                OnAuthenticated = async context =>
                {
                    await
                        Task.Run(
                            () => context.Identity.AddClaim(new Claim("Office365AccessToken", context.AccessToken)));
                }
            },
            SignInAsAuthenticationType = DefaultAuthenticationTypes.ExternalCookie
        };

        office365Options.Scope.Add("offline_access");
        app.UseOffice365Authentication(office365Options);

当我有更多时间时，我希望为此创建一个nuget包.

When I have more time I hope to create a nuget package for this.

这篇关于使用asp.net身份进行授权的Azure AD身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！