如何通过Azure Active Directory授权使用Azure REST API应用 [英] How to consume Azure REST API App with Azure Active Directory authorization On

问题描述

我已将API App部署到Azure，但是如果将Authentication(with AAD)设置为ON，则在创建API客户端时会遇到问题.

I have deployed an API App to Azure, but I am having problems creating API Client if Authentication (with AAD) is set to ON.

当我尝试生成服务客户端时(当身份验证"处于关闭状态时)，则生成了客户端代码(由Autorest完成)并且代码正在工作，但是当我将身份验证"设置为开"(并且在未认证请求时采取的措施)设置为Login with Azure Active Directory)，然后

When I try to generate service client (when Authentication is OFF), then client code is generated (it's done with Autorest) and code is working, but when I switch Authentication ON (and Action to take when request is not authenticated is set to Login with Azure Active Directory), then

1)服务调用返回401 Unauthorized(未重定向到AAD登录页面)

1) service call returned 401 Unauthorized (without redirecting to AAD login page)

2)然后，我尝试再次生成服务客户端(从Project的上下文菜单->添加-> REST API客户端->然后在对话框中，选择选择Azure资产"并按OK，并收到消息(并且没有其他可用信息")

2) Then I tried to generate service client once more (from Project's context menu -> Add -> REST API Client -> then in the dialog box I chose "Select Azure Asset" and pressed OK and got a message "Failed to download metadata file for Microsoft Azure API App: ...app name..." (and "no additional information available")

我正在根据此Azure手册(使用快速设置)实施AAD:

I was implementing AAD according to this Azure manual (using express settings):

同样根据该视频工作，并且该视频中显示的所有内容都在起作用，除了未演示AAD ...对我而言，它不起作用...

Was working according to this video, too and everything what is shown in this video was working, except that AAD was not demonstrated... and for me it's not working...

有什么建议吗?

编辑

1)如果我在Web浏览器中输入了REST API客户端使用的请求URL，则它将返回有效结果 2)我发现我使用的是没有凭据的REST API(我认为在这种情况下应该显示Azure AD登录屏幕...但不是)

1) If I enter the request url (that REST API client uses) in web browser - then it returns valid results 2) I found out that I am using REST API without credentials (I thought Azure AD login screen should be presented in this case... but it isn't)

编辑2

我取得了一些进展-进入了AAD登录屏幕，但是输入凭据后我得到了bearer token，但是当我尝试查询该服务时，却收到了一条错误消息:

I got some progress - got to the AAD login screen, but after entering credentials I get the bearer token, but when I try to query the service, I get an error message:

AADSTS65005: The client application has requested access to resource 'https....azurewebsites.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list. Trace ID: 4176e... Correlation ID: 1d612d... Timestamp: 2016-11-13 18:28:34Z

AADSTS65005: The client application has requested access to resource 'https....azurewebsites.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list. Trace ID: 4176e... Correlation ID: 1d612d... Timestamp: 2016-11-13 18:28:34Z

这些是我为达到这一目的而采取的步骤:

These are the steps I've done to get this far:

0)向客户端项目添加了Microsoft.IdentityModel.Clients.ActiveDirectory nuget包

0) Added Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack to client project

1)在Azure Active Directory中注册了我的客户端应用

1) registered my client app in Azure Active Directory

2)从客户端应用程序调用REST API时，我要添加ServiceClientCredentials

2) when calling REST API from client application, I am adding ServiceClientCredentials

3)在创建ServiceClientCredentials时，我提供了4个元素 -authority =这是来自AAD App注册->端点=>联合元数据文档vērtība(无起始部分http://login.windows.net/)

3) when creating ServiceClientCredentials I provide 4 elements -authority = this is from AAD App registrations -> Endpoints => Federation Metadata Document vērtība (without the starting part http://login.windows.net/)

-resource =>这是REST API uri(=>作为请求令牌的接收者的目标资源的标识符)

-resource => this is REST API uri (=>Identifier of the target resource that is the recipient of the requested token)

-clientId =>这是我在AAD中注册客户端应用程序后得到的应用程序ID -redirect Uri =>因为我的客户端应用程序是本机应用程序，所以这只是任何有效的URL

-clientId => this is application id I get after I registered client app in AAD -redirect Uri => since my client app is a Native application, then this is just any valid url

如何在客户端应用中指定此资源?

client has not specified this resource in its requiredResourceAccess list

推荐答案

我设法找到一种解决方案，该解决方案如何对Azure REST API应用启用AAD授权.万一有人面临同样的挑战，我希望这会有所帮助.

I managed to find a solution on how to enable AAD authorization to Azure REST API App. Just in case anyone has the same challenge, I hope this will be helpful.

这些是我执行的步骤:

1)在应用服务中->身份验证/授权

1) In App services -> Authentication/authorization

• 应用服务验证=>开启
• 未通过身份验证时采取的措施=>使用AAD登录
• 使用Express设置配置的AAD(您必须创建Azure 适用于您的AD App API应用-即您的服务的应用注册")

• App Service Authentication => On
• Action to take when request is not authenticated => Login with AAD
• Configured AAD with Express settings (there you have to create Azure AD App for you API App - i.e. "App registration" for your service)

2)在Azure Active Directory中->应用程序注册

2) In Azure Active Directory -> App registrations

• 为您的客户端应用添加注册
• 编辑客户端应用程序的清单-在requiredResourceAccess部分中，您必须添加有关REST API应用程序的信息:
  • resourceAppId->在此处插入REST API应用ID
  • resourceAccess {id}-> REST API的OauthPermission id值(您可以在REST API的清单中获得它！)
  • Add registration for your client app
  • Edit Manifest of your client app - in the requiredResourceAccess section you must add information about REST API App:
    • resourceAppId -> insert REST API App id here
    • resourceAccess {id} -> OauthPermission id value of REST API (you can get it in REST API's manifest!)

    3)在您的客户端应用程序中

    3) In your client application

    • 使用Autorest(来自解决方案资源管理器:Add\REST API client)生成REST客户端，或手动创建
    • 添加Microsoft.IdentityModel.Clients.ActiveDirectory nuget包

    • 获取并使用令牌以类似于以下代码的方式访问您的API:

    • generate your REST client using Autorest (from solution explorer: Add\REST API client) or create it manually
    • add Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack

    • get and use token to access your API with code similar to this:

        //request
        (..)
        var tokenCreds = getToken();
        ServiceClientCredentials credentials = tokenCreds;
    
        using (var client = new YourAPI(credentials)) {
        ...
        }
        (..)
    
        //getting token
    
    private static TokenCredentials getToken()
    {
        //get this from Federation Metadata Document in 
        //Azure Active Directory App registrations -> Endpoints
        var authority = "f1...";
    
        //Identifier of the target resource that is the recipient of the requested token
        var resource = "https://yourapi.azurewebsites.net";
    
        //client application id (see Azure Active Directory App registration
        //for your client app
        var clientId = "a71...";
    
        //return url - not relevant for Native apps (just has to be valid url)
        var redirectUri = "https://just-some-valid-url.net";
    
        AuthenticationContext authContext =
        new AuthenticationContext(string.Format
        ("https://login.windows.net/{0}",
    authority));
    
        AuthenticationResult tokenAuthResult =
        authContext.AcquireTokenAsync(resource,
        clientId,
        new Uri(redirectUri),
        new PlatformParameters(PromptBehavior.Auto)).Result;
    
        return new TokenCredentials(tokenAuthResult.AccessToken);
    }
    

  这篇关于如何通过Azure Active Directory授权使用Azure REST API应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！