使用Azure AD身份验证保护的WebAPI在IIS上不起作用,但在使用Visual Studio的IIS Express上可以正常工作 [英] WebAPI Secured with Azure AD Authentication not working on IIS but working fine on IIS Express using Visual Studio
问题描述
我正在使用Anp.Net WebAPI调用AnguarJS SPA应用程序.
I am working on a AnguarJS SPA application calling with an Asp.Net WebAPI.
我已经在Azure AD上注册了客户端和后端应用程序.
I have registered both the Client as well as the Backend Application on the Azure AD.
我的客户端/Web应用程序已注册,并包含以下详细信息:
My Client/Web Application is registered with the following details:
- 登录URL: http://localhost:93
- APP ID URL: http://xyz.onmicrosoft.com/XYZLocalClient
- ClientID:34A721C3-20E4-41D5-9BC1-486A99BF7C26
- 回复URL: http://localhost:93
- Sign On URL: http://localhost:93
- APP ID URL : http://xyz.onmicrosoft.com/XYZLocalClient
- ClientID: 34A721C3-20E4-41D5-9BC1-486A99BF7C26
- Reply URL: http://localhost:93
我已将其他应用程序的权限(已授予权限)授予客户端应用程序以访问WebAPI(LocalWebAPI).
I have given the permissions to other applications (delegated permission) for the client app to access the WebAPI (LocalWebAPI).
我的WebAPI具有以下设置:
My WebAPI has the following setup:
-
它正在将OWIN中间件与startup.cs文件一起使用:
It is using the OWIN Middleware with the startup.cs file as:
公共类启动 { 公共无效配置(IAppBuilder应用) { ConfigureAuth(app); }
public class Startup { public void Configuration(IAppBuilder app) { ConfigureAuth(app); }
private void ConfigureAuth(IAppBuilder app)
{
var azureADBearerAuthOptions = new
WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
};
azureADBearerAuthOptions.TokenValidationParameters =
new System.IdentityModel.Tokens.TokenValidationParameters()
{
ValidAudience =
ConfigurationManager.AppSettings["ida:Audience"]
};
app.UseWindowsAzureActiveDirectoryBearerAuthentication (azureADBearerAuthOptions); }
app.UseWindowsAzureActiveDirectoryBearerAuthentication (azureADBearerAuthOptions); }
它使用以下参数在Azure AD上注册:
It is registered on the Azure AD with the following parameters:
登录网址: http://localhost:93/Api/V1/ APP ID URI: https://xyz.onmicrosoft.com/LocalCognia 回复网址: http://localhost:93/Api/V1/ *
SIGN-ON URL: http://localhost:93/Api/V1/ APP ID URI: https://xyz.onmicrosoft.com/LocalCognia Reply URLs: http://localhost:93/Api/V1/*
我的Web.Config文件是:
My Web.Config file is:
<add key="owin:AutomaticAppStartup" value="true"/>
<add key="ida:Tenant" value="xyz.onmicrosoft.com" />
<add key="ida:Audience" value="34A721C3-20E4-41D5-9BC1-486A99BF7C26" />
我还用[Authorize]属性装饰了控制器.
I have also decorated my controller with the [Authorize] Attribute.
一切似乎都正常.从Visual Studio 2015环境(IIS Express)运行应用程序时,我能够对用户进行身份验证并能够从WebAPI访问资源.
Everything seems to be working fine. I am able to authenticate the user and able to access the resources from the WebAPI when I run my application from the Visual Studio 2015 environment (IIS Express).
但是,一旦我使用相同的参数将应用程序部署到IIS服务器上(请注意,该应用程序现在位于localhost:8087上,并且客户端应用程序的回复URL为:localhost:8087),我就是收到错误消息401:调用WebAPI时未经授权的用户.
But as soon as I deploy my application on the IIS Server, using the same parameters, (expect that the application is now on localhost:8087 and with the reply URL for the client app as: localhost:8087), I am getting error as 401: UnAuthroized user on calling the WebAPI.
我在WebAPI调用的标头中获取令牌,但仍然收到错误.不知道这种行为.有人可以帮忙吗?
I am getting the token in the Headers for the WebAPI call, but still getting the error. Not sure of this behavior. Can someone please help on this?
推荐答案
请在您的ConfigureAuth中使用以下代码:
Please use below code in your ConfigureAuth :
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
},
});
这篇关于使用Azure AD身份验证保护的WebAPI在IIS上不起作用,但在使用Visual Studio的IIS Express上可以正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!