使用Azure AD和WebAPI进行服务到服务的身份验证 [英] Service to service authentication using Azure AD and WebAPI
问题描述
我已经创建了一个.NET核心Web应用程序,该应用程序使用Azure AD作为标识。一切都按预期工作,并且我使用[Authroize]装饰的所有内容都受到保护。
我现在想要保护我的API控制器之一,使其可以从外部访问服务。
我按照本教程介绍了服务身份验证。
一些附加点
- 我的Web应用程序和令牌的POST使用相同的AD ClientID
- 我为每种功能尝试了不同的AD Apps(Web和服务到服务),但似乎没有任何作用
- 如果我只是在浏览器上执行标准登录,则API端点会按预期进行解析。
感谢您的协助!
更新:
我设法尝试了Daemon .NET 4.5应用程序,并且使用UseWindowsAzureActiveDir可以正常工作ectoryBearerToken
但是在我的.NET Core应用程序中,此中间件不可用,所以我尝试使用JwtBearer中间件,但我仍然得到
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Audience = https:// localhost:44392,
Authority = https://login.microsoftonline.com/{TENANTNAME}.onmicrosoft.com
});
如您所见,我在BearerOptions中仅设置了2个属性,但我相信它们应该已经足够[授权]我的API端点。
POST > http://login.microsoftonline.com/ {CLIENTID} / oauth2 / token
首先,获取令牌时令牌点不正确,我们应该使用 tenantId 而不是 clientId 。
要解决此问题,建议您解码此站点,以查看令牌中的 aud 声明是否与受众您可以在Web API项目中进行配置。
Ive created a .NET core web app which is using Azure AD for the identity. This is all working fine as expected and anything I decorate using [Authroize] is protected.
I am now wanting to secure one of my API controllers to be accessible from an external service.
I followed this tutorial which explains service-service authentication.
Service to service auth with Azure AD
Using this I have managed to request a token
POST https://login.microsoftonline.com/{TENANTID}/oauth2/token
grant_type=client_credentials
&client_id={CLIENTID}
&client_secret={CLIENTSECRET}
&resource=https%3A%2F%mydirectory.onmicrosoft.com/myappname
Running this with postman, I get the Bearer access_token so looks good.
Now if I call my web app in Postman with this bearer token on the header,
GET https://localhost:44392/api/booking
Authorization Bearer {access_token}
I get a HTML response from one the Microsoft dialogues. So it seems it is just going into the redirect loop, so I am now confused on whether I have a configuration problem in the token request, or whether my web app needs to be setup in a different way. The article here mentions something about permissions in the manifest file, but I am confused why this would be necessary?
Some additional points
- My web app and the POST for the token use the same AD ClientID
- I tried different AD Apps for each feature (Web and Service-to-Service) but didnt seem to make any difference
- If I just perform a standard login on the browser, the API endpoint resolves as expected.
Any assistance appreciated!
Updates:
I managed to try the Daemon .NET 4.5 app and this worked flawlessly using the UseWindowsAzureActiveDirectoryBearerToken
Daemon Service to service auth on .NET 4.5
However in my .NET Core app, this middleware isn't available so I tried using JwtBearer middleware but I still get the login prompt.
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Audience = "https://localhost:44392",
Authority = "https://login.microsoftonline.com/{TENANTNAME}.onmicrosoft.com"
});
As you can see, I have only set 2 properties in the BearerOptions but I believe they should have been enough to [Authorize] my API endpoint.
POST https://login.microsoftonline.com/{CLIENTID}/oauth2/token
First the token point is incorrect when you acquire the token, we should use tenantId instead of clientId.
And to troubleshoot this issue, I suggest that you decode the access_token from this site to see whether the aud claim in the token is same as Audience you config in the web API project.
这篇关于使用Azure AD和WebAPI进行服务到服务的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
