如何通过.net上的多因素身份验证使OAuth2适用于Azure Active Directory? [英] How to make OAuth2 work for Azure Active Directory with multi-factor authentication on .net?

问题描述

我们正在使用 OAuth 2.0 Azure Active Directory上的身份验证代码授予，以对我们的Web应用程序中的用户进行身份验证.

We are using OAuth 2.0 auth code grant on Azure Active Directory to authenticate the users in our web application.

这没有问题，但是现在AD维护人员希望部署多因素身份验证.我们当前的OAuth实现与之不符.

This has worked without problems, but now the AD maintenance wants to deploy a multi-factor authentication. Our current OAuth implementation is not in line with that.

这是我们的代码:

public static ActionResult LogOn()
{
    string authorizationUrl = string.Format(
        "https://login.windows.net/{0}/oauth2/authorize?api-version=1.0&response_type=code&response_mode=query&client_id={1}&scope={2}&redirect_uri={3}",
        HttpUtility.UrlEncode(azureActiveDirectoryTenant),
        HttpUtility.UrlEncode(azureActiveDirectoryClientId),
        HttpUtility.UrlEncode("https://graph.microsoft.com/v1.0/me/"),
        HttpUtility.UrlEncode(azureActiveDirectoryCodeRedirectURL) // refers to Code() below
    );

    return new RedirectResult(authorizationUrl, false);
}

public async Task<ActionResult> Code(string code = null, string state = "", string error = null, string error_description = null)
{
    if (String.IsNullOrEmpty(error))
    {
        if (String.IsNullOrWhiteSpace(code))
        {
            return LogOn();
        }
        AuthenticationContext ctx = new AuthenticationContext("https://login.microsoftonline.com/" + azureActiveDirectoryTenant);
        ClientCredential clcred = new ClientCredential(azureActiveDirectoryClientId, azureActiveDirectoryClientKey);
        try
        {
            var ar = await ctx.AcquireTokenByAuthorizationCodeAsync(code, new Uri(azureActiveDirectoryCodeRedirectURL), clcred, "https://graph.windows.net");
            string email = ar.UserInfo.DisplayableId;

            using (WebClient client = new WebClient())
            {
                client.Headers.Add("Authorization", "Bearer " + ar.AccessToken);

                Stream data = client.OpenRead(new Uri("https://graph.windows.net/me?api-version=1.6"));
                StreamReader reader = new StreamReader(data);
                Dictionary<string, dynamic> values = JsonConvert.DeserializeObject<Dictionary<string, dynamic>>(reader.ReadToEnd());
                data.Close();
                reader.Close();

                ... act on values and redirect...
            }
        }
        catch (AdalServiceException ex)
        {
            // We come here!
            ViewBag.ErrorMessage = String.Format("Exception: ErrorCode: {0}, StatusCode: {1}, Message: {2}.", ex.ErrorCode, ex.StatusCode, ex.Message);
            ...
        }
    }
    return View("OAuthError");
}

错误消息:

ErrorCode: interaction_required, StatusCode: 400, Message: AADSTS50076: Due
to a configuration change made by your administrator, or because you moved to a
new location, you must use multi-factor authentication to access '00000002-0000-
c000-0000000000000'.

本文档正在讨论AAD上的条件访问，并提到声明"作为解决方案.

This document is discussing conditional access on AAD and mentions 'claims' as a solution.

一个人如何将权利要求与上述代码结合起来才能发挥作用?

How does one incorporate claims to the code above to make it work?

推荐答案

每个MSDN:您可以将amr_values=ngcmfa添加到授​​权URL中以强制执行MFA.

You can add amr_values=ngcmfa to the authorization URL to force MFA.

您也可以添加amr_values=mfa，以要求用户已通过MFA，尽管这可能是前一阵子.

You can also add amr_values=mfa to require that the user has gone through MFA, though it may have happened a while ago.

然后，您还应该检查amr声明中的令牌是否确实包含"mfa". (因为用户只需删除参数即可)

You should also then check that the token does contain "mfa" in the amr claim. (since the user could just remove the parameter)

这篇关于如何通过.net上的多因素身份验证使OAuth2适用于Azure Active Directory?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！