如何在ASP.NET核心WEB API中验证Azure AD v2生成的OpenID Connect访问令牌? [英] How to Validate OpenID Connect Access Token generated by Azure AD v2 in ASP.NET core WEB API?
问题描述
如何在ASP.NET核心WEB API中验证Azure AD(v2 !!!)生成的OpenID Connect访问令牌?
How to Validate OpenID Connect Access Token generated by Azure AD (v2!!!) in ASP.NET core WEB API?
场景是:
我有一个Angular 8客户端应用程序,该应用程序在登录后获取了OpenID Connect访问令牌. 客户端可以将API与访问令牌一起调用. 但是问题是,我应该如何在ASP.NET核心API中验证该令牌?
I have an Angular 8 Client Application which is getting an OpenID Connect access Token after Login. The Client can call the API along with the Access Token. But Question is, How should I validate that Token in ASP.NET core API?
使用此代码,我会收到没有任何说明的授权错误.
With this code I get an Authorize Error without any descriptions.
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
services.AddCors(options =>
{
options.AddDefaultPolicy(
builder =>
{
builder.AllowAnyOrigin();
builder.AllowAnyMethod();
builder.AllowAnyOrigin();
builder.AllowAnyHeader();
});
});
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:信息:授权失败. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:信息:过滤器"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"上的请求授权失败. Microsoft.AspNetCore.Mvc.ChallengeResult:信息:使用身份验证方案()执行ChallengeResult. Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:信息:AuthenticationScheme:AzureADJwtBearer受到了挑战.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed. Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes (). Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AuthenticationScheme: AzureADJwtBearer was challenged.
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "localhost",
"TenantId": "myTenantId",
"ClientId": "myClientId"
},
推荐答案
Domain
不是localhost
.仅当您要接受来自单个租户的访问令牌时,才需要指定TenantId.否则,您可以将它们设置为common
:
The Domain
is not localhost
. You need specify the TenantId only if you want to accept access tokens from a single tenant . Otherwise, you can leave them set to common
:
This value can be:
- A GUID (Tenant ID = Directory ID)
- 'common' (any organization and personal accounts)
- 'organizations' (any organization)
- 'consumers' (Microsoft personal accounts)
并且您应该通过将以下代码添加到Startup.cs
文件中来更改为使用Microsoft身份平台终结点(Azure AD V2.0终结点):
And you should change to use the Microsoft identity platform endpoint(Azure AD V2.0 endpoint) by adding this code to the Startup.cs
file:
services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
{
// This is a Microsoft identity platform web API.
options.Authority += "/v2.0";
.....
});
You can click here for detail explanation and code sample .
这篇关于如何在ASP.NET核心WEB API中验证Azure AD v2生成的OpenID Connect访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!