使用Azure AD B2C对Web App和Web API进行基于令牌的身份验证 [英] Token based authentication for both Web App and Web API using Azure AD B2C

问题描述

场景: Web应用程序和Web API都需要从服务器端进行身份验证和保护.

Scenario: Both Web application and Web API need to be authenticated and protected from the server side.

要求: Web应用程序正在为浏览器提供内容，浏览器应直接调用Web API(即浏览器到API).

Requirement: Web application is serving the contents for the browser and browser should be calling Web API directly (i.e. Browser to API).

问题: 可以使用令牌对Web APP和API进行身份验证吗?

Question: Is it possible to authenticate both Web APP and the API using tokens?

任何示例代码或明确的指导将不胜感激.

Any sample code or clear direction would be highly appreciated.

通常，Web应用程序使用Cookie进行身份验证，API使用令牌进行身份验证.有些示例项目可用

Normally web applications are authenticated using cookies and APIs are authenticated using tokens.There are some sample projects available here but they are either browser to API (SPA token based) or Server side Web App calling API from server to server.

更新1

应用程序正在保存TokenValidationParameters，并在应用程序控制器内使用bootstrapContext.Token来获取服务器到服务器的通信.

App is saving the TokenValidationParameters and used bootstrapContext.Token within the app controller to grab for server to server communication.

按照@dstrockis，我正在尝试在验证结束后不久(不在应用程序控制器内)从Web App中获取id_token.

As per @dstrockis, I'm trying to grab the id_token from the Web App soon after the end of validation (not within the app contrller).

我正在Startup类中的OpenIdConnectAuthenticationOptions.Notifications中使用SecurityTokenValidated调用程序. SecurityTokenValidated收到类型为SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>的参数，但是我不确定在其中找到id_token的位置.方法如下.

I'm using SecurityTokenValidated invoker in OpenIdConnectAuthenticationOptions.Notifications within the Startup class. SecurityTokenValidated receives a parameter of type SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> but I'm not sure where to find the id_token within it. Method is below.

private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy)
{
    return new OpenIdConnectAuthenticationOptions
    {
        // For each policy, give OWIN the policy-specific metadata address, and
        // set the authentication type to the id of the policy
        MetadataAddress = String.Format(aadInstance, tenant, policy),
        AuthenticationType = policy,

        // These are standard OpenID Connect parameters, with values pulled from web.config
        ClientId = clientId,
        RedirectUri = redirectUri,
        PostLogoutRedirectUri = redirectUri,
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthenticationFailed = OnAuthenticationFailed,

            //NEW METHOD INVOKE ************************************
            //******************************************************
            SecurityTokenValidated = OnSecurityTokenValidated

            //******************************************************
        },
        Scope = "openid",
        ResponseType = "id_token",

        TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = "name",
            SaveSigninToken = true
        },
    };
}



//NEW METHOD ************************************
private Task OnSecurityTokenValidated(
       SecurityTokenValidatedNotification<OpenIdConnectMessage,
                       OpenIdConnectAuthenticationOptions> arg)
{
    //QUESTION ********************************************************
    //How to find the just saved id_token using incoming parameter, arg
    //*****************************************************************

    return Task.FromResult(0);
}

更新2

我尝试使用AuthorizationCodeReceived而不是SecurityTokenValidated，并且根本没有被调用.如此处所述，我的重定向网址的确也带有结尾斜杠.

Instead of SecurityTokenValidated, I tried AuthorizationCodeReceived and it's not getting called at all. As discussed here, my redirect url does have an ending slash as well.

有什么想法吗?

推荐答案

我们的支持AAD B2C的ASP.NET OpenID Connect中间件被构建为依赖于浏览器的cookie身份验证.它不接受标题中的令牌或类似的用于保护网页的令牌.因此，我想说的是，如果您想以经典方式从Web应用程序中提供HTML，则需要使用Cookie来验证对Web应用程序的请求.

Our ASP.NET OpenID Connect middleware which supports AAD B2C is built to rely on cookie authentication from a browser. It doesn't accept tokens in a header or anything like that for securing web pages. So I'd say if you want to serve HTML from your web app in the classic way, you need to use cookies to authenticate requests to the web app.

您绝对可以得到&将令牌存储在浏览器中，并使用这些令牌访问您的Web API，即使您使用Cookie对Web应用程序进行身份验证也是如此.我推荐两种模式:

You can definitely get & store tokens within the browser and use those to access your web API, even if you use cookies to authenticate to the web app. There's two patterns I'd recommend:

• 使用OpenID Connect中间件执行初始登录，如示例中所述从服务器端启动流.流程完成后，中间件将验证生成的id_token并将Cookie放置在浏览器中以用于将来的请求.您可以使用

• Perform the initial login using the OpenID Connect Middleware, initiating the flow from the server side as described in the samples. Once the flow completes, the middleware will validate the resulting id_token and drop cookies in the browser for future requests. You can instruct the middleware to save the id_token for later use by using the line of code written here. You can then somehow pass that id_token down to your browser, cache it, and use it to make requests to the API.
• The other pattern is the inverse. Start by initiating the login from javascript, using the single page app pattern from the B2C documentation. Cache the resulting id_tokens in the browser, and use them to make API calls. But when the login completes, you can send a request to your web app with the id_token in the body, triggering the OpenID Connect middleware to process the request and issue a session cookie. If you want to know the format of that request, I'd recommend inspecting a regular server side OpenID Connect flow.

这篇关于使用Azure AD B2C对Web App和Web API进行基于令牌的身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！