使用Google oAuth 2.0 Bearer令牌的Azure App Service身份验证 [英] Azure App Service Authentication with Google oAuth 2.0 Bearer Token
问题描述
我们正在使用App Service身份验证来保护Web API,并使用Google作为身份验证提供程序.当我们从浏览器发出请求时(会话信息在cookie中时),它可以按预期工作
We are using App Service Authentication to protect a web API and using Google as authentication provider. It works as expected when we fire a request from a browser (when the session information is in the cookie)
IIS日志:
2016-05-29T13:51:19 PID [3600]详细收到的请求:GET https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51: 19 PID [3600]详细发现站点的"AppServiceAuthSession" cookie "XXXXXX.azurewebsites.net".长度:728. 2016-05-29T13:51:19 PID [3600]详细身份验证成功XXXXXX@gmail.com 使用会话Cookie"身份验证.
2016-05-29T13:51:19 PID[3600] Verbose Received request: GET https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:19 PID[3600] Verbose Found 'AppServiceAuthSession' cookie for site 'XXXXXX.azurewebsites.net'. Length: 728. 2016-05-29T13:51:19 PID[3600] Verbose Authenticated XXXXXX@gmail.com successfully using 'Session Cookie' authentication.
但是,当我们使用诸如Postman之类的API测试工具并将 Authorization 标头设置为不记名令牌时,它总是会导致重定向.
But when we use API testing tool such as Postman and set the Authorization header with bearer token, it always results in redirection.
IIS日志:
2016-05-29T13:53:38 PID [3600]详细收到的请求:POST https://XXXXX.azurewebsites.net/api/user 2016-05-29T13:53: 38 PID [3600]信息重定向:
2016-05-29T13:53:38 PID[3600] Verbose Received request: POST https://XXXXX.azurewebsites.net/api/user 2016-05-29T13:53:38 PID[3600] Information Redirecting: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-XXXXX7attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De5f4aabe11cb4544bf18d00920940d47_20160529135838%26redir%3D%2Fapi%2Fuser
我们还尝试使用相同的承载令牌设置 X-ZUMO-AUTH 标头,因为令牌的格式不正确,我们看到了错误.显然,它希望使用已编码的JWT令牌.
We also tried to set X-ZUMO-AUTH header with the same bearer token, we see error as the token is not in expected format. Apparently it expects encoded JWT token.
IIS日志:
016-05-29T13:51:52 PID [3600]详细收到的请求:POST https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51: 52 PID [3600]警告JWT验证失败:IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler'无法读取此内容 字符串:承载者 ya29.XXXXXXXXXX_RDrX_zsuvMx49e_9QS5ECz9F1yhDHe5j4H9gRN6opkjLXvN1IJZjHXa_Q'. 该字符串必须采用紧凑的JSON格式,其格式为: '..'.. 2016-05-29T13:51:52 PID [3600] 信息重定向:
016-05-29T13:51:52 PID[3600] Verbose Received request: POST https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:52 PID[3600] Warning JWT validation failed: IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'Bearer ya29.XXXXXXXXXX_RDrX_zsuvMx49e_9QS5ECz9F1yhDHe5j4H9gRN6opkjLXvN1IJZjHXa_Q'. The string needs to be in compact JSON format, which is of the form: '..'.. 2016-05-29T13:51:52 PID[3600] Information Redirecting: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-k5nj6dkf987attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De15b0915406142378XXXXX_20160529135652%26redir%3D%2Fapi%2Fuser
注意: 从Google获得的不记名令牌是有效的,因为我们可以通过致电来验证详细信息 https://www.googleapis.com/oauth2/v3/tokeninfo?access_token = [令牌]
Note: Bearer token obtained from Google is valid as we can verify the detail by making call to https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[token]
请提出建议.
推荐答案
-
从App Service门户打开身份验证/授权
Turn on Authentication / Authorization from App Service Portal
浏览到需要身份验证的Web应用程序或API,您将被重定向到google登录页面,当您成功进行身份验证时,响应将包含:
Browse to the web app or API that requires authentication, you will be redirected to google login page, when you authenticate successfully, the response will contain:
- "id_token":可以从响应中提取此令牌,也可以通过访问令牌存储/.auth/me
- "redirect_uri"此令牌将包含在响应正文中,您也可以在接下来的步骤中对其进行静态设置,因为这是回调URL,除非您从Google控制台
使用以下JSON有效负载{"redirect_uri":","id_token":"}向https://{hostname}/.auth/login/google发送请求.成功的响应将包含"authenticationToken",用于存储此令牌或对其进行缓存
POST a request to https://{hostname}/.auth/login/google with the following JSON payload, {"redirect_uri":"", "id_token":""}. a successful response will contain "authenticationToken" store this token or cache it
对需要身份验证的API的后续请求应包含一个HTTP请求标头:
Subsequent requests to the APIs that requires authentication should contain an HTTP request header:
值为"authenitcationToken"的"x-zumo-auth"
"x-zumo-auth" with the value of "authenitcationToken"
奖金: 为了验证令牌,您可以使用以下JSON有效负载{"id_token":"} POST到https://{hostname}/.auth/login/google,响应中应指定令牌是否有效
Bonus: In order to verify your token you can POST to https://{hostname}/.auth/login/google with the following JSON pay load {"id_token":""}, the response should specify if the token is valid or not
这篇关于使用Google oAuth 2.0 Bearer令牌的Azure App Service身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
