Azure网站单一登录以用户身份从Azure Active Directory访问Azure移动服务 [英] Azure Website Single Sign On accessing Azure Mobile Service from Azure Active Directory as User

问题描述

我有一个部署为Azure网站(称为网站)的ASP.NET MVC网站.该网站的部分需要授权.我已经设置了Windows Azure Active Directory( WAAD )以保护对该部分的访问.加载该受保护的部分后，它将加载一个Javascript应用程序，该应用程序允许与Azure移动服务集成.

I have an ASP.NET MVC website deployed as Azure website (called website). That website has a section that needs authorization. I already have set up Windows Azure Active Directory (WAAD) to protect access to that section. Once that protected section has loaded, it will load a Javascript app that allows integration with the Azure Mobile Service.

我还有一个单独的Azure移动服务，用于数据存储(称为 mobserv ).我想从网站访问mobserv表和api端点.我正在将.NET后端用于Azure移动服务. 当然，我需要使用[AuthorizeLevel]保护这些mobserv端点.

I also have a separate Azure Mobile Service that I use for data storage (called mobserv). I want to access mobserv table and api endpoints from website. I am using the .NET backend for Azure Mobile Services. Of course, I need to protect those mobserv endpoints using [AuthorizeLevel].

教程显示了当我想通过 Application (使用[AuthorizeLevel(AuthorizationLevel.Application)])进行身份验证时如何执行此操作-只需添加对正确的Javascript客户端(MobileServices.web-1.2.5.js)的引用，提供mobserv应用ID和令牌. CORS设置为允许交互.到目前为止，一切都很好.

Tutorials show how to do this when I want to authenticate as Application (using [AuthorizeLevel(AuthorizationLevel.Application)]) - just add a reference to the proper Javascript Client (MobileServices.web-1.2.5.js), provide mobserv app id and token. CORS is set up to allow interaction. So far, so good.

但是现在，我想使用[AuthorizeLevel(AuthorizationLevel.User)]保护某些端点.因此，现在，该请求必须被授权为 User .由于网站已经受到WAAD的保护，因此我不希望客户端为javascript客户端执行新的登录-我想重用当前的WAAD身份验证标头来获得单点登录"体验，以便mobserv能够识别用户.

But now, I want to protect certain endpoints using [AuthorizeLevel(AuthorizationLevel.User)]. So now, the request has to be authorized as User. Since the website already has been protected by WAAD, I do not want the client to perform a new sign in for the javascript client - I want to reuse the current WAAD authentication headers to have a Single Sign On Experience, so that mobserv will recognize the user.

我还没有发现有关如何执行此操作的任何提示.教程仅显示针对mobserv或使用显式登录对话框的应用程序级别身份验证.

I have not found any hints on how to do this. Tutorials only show application level auth against mobserv or using explicit login dialogs.

有人知道如何执行此操作吗?

Does anybody have a clue how to do this?

推荐答案

在vibronet的帖子中，移动服务确实支持访问令牌的HTTP POST，但是访问令牌必须将受众指定为您的移动服务.因此，为您的网站发行的令牌将无法单独使用.您将需要通过AAD流程之一对其进行转换.

Following up on vibronet's post, Mobile Services does support HTTP POST of an access token, but the access token must specify the audience as your mobile service. So a token issued for your website will not work on its own. You will need to transform it through one of the AAD flows.

因此，在AAD中，您需要具有两个Web应用程序注册，一个用于网站，另一个用于移动服务.在移动服务注册上，您需要定义可以公开给其他资源的权限. 移动服务+ ADAL教程" (向Azure Active Directory注册移动服务")将指导您完成此过程.然后，不用注册访问该权限的本机客户端应用程序，而是去网站注册并在那里配置访问权限.

So in AAD, you need you have two web application registrations, one for your web site and one for the mobile service. On the mobile service registration, you would need to define permissions that can be exposed to the other resource. The first section of the Mobile Services + ADAL tutorial ("Register your mobile service with the Azure Active Directory") walks you through this. Then, instead of registering a native client app which accesses that permission, you would go to your web site registration and configure the access there.

一旦您拥有网站的AAD令牌，就可以利用此权限来获取移动服务的令牌.最好使用Active Directory身份验证库( JS 或 .NET ，具体取决于您在哪里想要做的事情). AAD小组有关于如何执行此操作的很好的示例，移动服务也有 a ，尽管它可以通过移动服务访问SharePoint Online，而不是通过网站访问移动服务)

Once you have an AAD token for your website, you can leverage this permission to get a token for the mobile service. This can best be accomplished using an on-behalf-of flow in the Active Directory Authentication Library (JS or .NET, depending on where you want to do things). The AAD team has a nice sample on how to do this, and mobile services also has a tutorial which might be helpful, although it does mobile service access to SharePoint Online as opposed to web site access to a mobile service)

然后，您可以使用客户端流"方法将令牌发送到您的移动服务，如.对于AAD，呼叫将类似于:

Then you can send the token to your mobile service using the "client flow" method, as described in "How to: Authenticate Users" for the HTML/JS SDK. For AAD, the call will look something like:

client.login(
      "aad",
      {"access_token": "<TOKEN-FROM-AAD>"})
.done(function(results){
      alert("You are now logged in as: " + results.userId);
},
function(error){
      alert("Error: " + err);
});

用户将看不到任何新的UI，但将登录，并且对来自SDK的后续调用进行身份验证.

The user will not see any new UI, but they will be logged in, and subsequent calls from the SDK will be authenticated.

从您的MVC后端执行此操作也可能会更容易.我相信您可以从ClaimsIdentity获取访问令牌，然后可以使用移动服务. NET客户端SDK 来执行登录操作并简化从MVC站点到您的移动服务的调用:

It might also be easier to do this from your MVC backend. I believe you can get the access token from the ClaimsIdentity, and then you can just use the Mobile Services .NET client SDK to do the login action and facilitate calls from the MVC site to your mobile service:

JObject payload = new JObject();
payload["access_token"] = "<TOKEN-FROM-AAD>";
MobileServiceUser user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory, payload);

这篇关于Azure网站单一登录以用户身份从Azure Active Directory访问Azure移动服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！