登录到ASP.Net Core Web应用程序->使用Azure AD B2C的具有单个用户帐户的API [英] Sign in to ASP.Net Core Web Application -> API with Individual User Accounts using Azure AD B2C
问题描述
我已经使用->个人用户帐户->连接到云中的现有用户存储(Azure AD B2C),使用ASP.NET Razor页面设置了Web应用程序.
这真的很好,我可以注册并登录该Web应用程序.
但是,当我遵循API指南时,我不知道如何登录.
示例 Controller
/weatherforecast在启动Web应用程序时仅返回HTTP 401.
看着文件结构,我也找不到任何线索,但这可能类似于我猜想的脚手架.
如果我从 WeatherForecastController
中注释掉 [Authorize]
,我会收到HTTP 200,所以我需要的只是来自Azure AD B2C的令牌,该令牌将被发送到GET请求中的控制器.
我知道B2C租户和应用程序都可以工作,因为我对API使用的Web应用程序与Web应用程序相同.它是根据Microsoft自己的指南设置的:
因此,第一步是要确保您在 Published scopes
:
然后在 API访问权限
下添加具有读取范围的应用程序.
然后以这种格式执行GET请求,最简单的测试方法是在Chrome或任何其他浏览器中使用它:
https://<租户名称> .b2clogin.com/tfp/<租户名称> .onmicrosoft.com/<政策名称>/oauth2/v2.0/授权?client_id =<应用程序ID>& nonce = anyRandomValue& redirect_uri = https://jwt.ms& scope = https://< tenant-name> .onmicrosoft.com/api/read& response_type =代码
确保 redirect_uri
以 Reply URL
的形式显示在您的应用程序中.
这应该为您提供类似 https://jwt.ms/?code = ...
或 https//localhost:44376/signin-oidc?code =
,具体取决于 redirect_uri
.Microsoft示例使用 https://jwt.ms
,但我更喜欢将代码保留在我控制的域上.
我从Postman复制代码参数中的值,然后执行POST请求.
POST< tenant-name> .onmicrosoft.com/oauth2/v2.0/token?p =< policy-name>HTTP/1.1主机:< tenant-name> .b2clogin.com内容类型:application/x-www-form-urlencodedgrant_type =授权码& client_id =<应用程序ID>& scope = https://< tenant-name> .onmicrosoft.com/api/read& code = eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC ...& redirect_uri = https://jwt.ms& client_secret =< app-key>
client_secret
来自密钥:
正确的响应应如下所示:
然后,您可以复制 access_token
的值,并使用 Bearer Authorization
访问本地API.要查看您的 access_token
的内容,您可以将值复制到 https://jwt.ms/
I have set up a Web Application with ASP.NET Razor Pages with -> Individual User Accounts -> Connect to an existing user store in the cloud (Azure AD B2C).
This works really well and I could both sign up and sign in to the web application.
However when I follow the guide for API I don't understand how to sign in.
The example Controller
/weatherforecast simply returns a HTTP 401 when the web application is started.
Looking at the file structure I can't find any clues either but this could be similar to scaffolding I guess.
https://stackoverflow.com/a/50677133/3850405
If I comment out [Authorize]
from WeatherForecastController
I get a HTTP 200 so what I need is probably just a token from Azure AD B2C that is being sent to the Controller in the GET request.
I know that the B2C tenant and application work since I use the same application for the API as I did with the Web Application. It was set up using Microsofts own guide:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
Update 2020-07-27:
Applications are now Legacy and App registrations should be used instead. See this guide:
Old:
Fixed it using these guides:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview https://docs.microsoft.com/en-us/azure/active-directory-b2c/access-tokens
I had some trouble where I got the error "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
numerous times. Turned out I had not declared the correct scopes for the application.
First step is therefore to make sure you have a read scope for your Azure AD B2C application under Published scopes
:
Then under API access
add your application with the scope read.
Then perform a GET request with this format, simplest way to test is to use it in Chrome or any other browser:
https://<tenant-name>.b2clogin.com/tfp/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?
client_id=<application-ID>
&nonce=anyRandomValue
&redirect_uri=https://jwt.ms
&scope=https://<tenant-name>.onmicrosoft.com/api/read
&response_type=code
Make sure the redirect_uri
is present as Reply URL
for your application.
This should give you a result like after logging in like https://jwt.ms/?code=...
or https//localhost:44376/signin-oidc?code=
depending on redirect_uri
. Microsoft example uses https://jwt.ms
but I prefer to keep my codes on domains that I control.
Copy the value from code parameter and then perform a POST request, I use Postman.
POST <tenant-name>.onmicrosoft.com/oauth2/v2.0/token?p=<policy-name> HTTP/1.1
Host: <tenant-name>.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<application-ID>
&scope=https://<tenant-name>.onmicrosoft.com/api/read
&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
&redirect_uri=https://jwt.ms
&client_secret=<app-key>
client_secret
is from Keys:
Correct response should look like this:
Then you can copy the value for access_token
and access your local API with Bearer Authorization
. To see the content of your access_token
you can copy the value to https://jwt.ms/
这篇关于登录到ASP.Net Core Web应用程序->使用Azure AD B2C的具有单个用户帐户的API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!