带有OpenIdConnect的ASP.NET Core上针对移动应用程序和网站的经过身份验证的REST API [英] Authenticated REST API for a mobile app and website on ASP.NET Core with OpenIdConnect
问题描述
我有一个非常简单的"ASP.NET Core Web应用程序(.NET Framework)"应用程序,该应用程序应成为REST API,将托管在Azure上,用于网站&移动应用.
I have a pretty much boilerplate "ASP.NET Core Web Application (.NET Framework)" application, that should become a REST API, to be hosted on Azure, for use for a website & mobile app.
我想通过标头为它配备令牌认证,并且选择了OpenIdConnect软件包.
I want to equip it with token authentication through the headers, and I have chosen for the OpenIdConnect package.
我已经从此页面复制了代码段( https://github. com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server )添加到我的模板中,并添加了app.UseOAuthValidation()调用,因此代码如下所示:
I have copypasted the snippets from this page (https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server) into my template, and added the app.UseOAuthValidation() call, so the code looks like this:
public void ConfigureServices(IServiceCollection services)
{
// Add framework services.
services.AddMvc();
services.AddAuthentication();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.UseOAuthValidation();
app.UseOpenIdConnectServer(options =>
{
//..... Copy-paste from the OpenIdConnect page
OnValidateTokenRequest = context => { ... }
OnHandleTokenRequest = context => { ... }
});
app.UseMvc();
}
我能够获得令牌(POST到/connect/token).
I am able to get a token (POST to /connect/token).
如果我将[Authorize]添加到我的ValuesController中以获取GET并使用令牌设置Authorization标头,但我会继续获得401 Unauthorized.该代码甚至不会中断OnValidateTokenRequest或OnHandleTokenRequest方法.
If I add an [Authorize] to my ValuesController to GET and set the Authorization header with the token but I keep on getting a 401 Unauthorized. The code doesn't even break into the OnValidateTokenRequest or OnHandleTokenRequest methods.
我想念什么?
推荐答案
您做错了.
让我简短地解释一下.您的REST API将不是OpenIDConnect服务器.它应该只对分配给它的令牌进行身份验证.
Let me explain shortly. Your REST API will not be the OpenIDConnect server. It should just authenticate a token given to it.
This article looks pretty good: https://contos.io/protecting-a-net-core-api-with-azure-active-directory-59bbcd5b3429#.1w8djbaci This example uses Azure AD, but since you are hosting on Azure, I assume that would be a good option for you.
简而言之,您的API中需要以下内容:
In short, you need something like this in your API:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = Configuration["Authentication:AzureAd:AADInstance"]
+ Configuration["Authentication:AzureAd:TenantId"],
Audience = Configuration["Authentication:AzureAD:ClientId"],
TokenValidationParameters =
new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidIssuer =
Configuration ["Authentication:AzureAd:AADInstance"]
+ Configuration["Authentication:AzureAd:TenantId"] + "/v2.0" }
});
这篇关于带有OpenIdConnect的ASP.NET Core上针对移动应用程序和网站的经过身份验证的REST API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
