使用Azure AD保护Azure功能-从本机应用程序调用时获取HTTP 401 [英] Azure Functions secured with Azure AD - Getting HTTP 401 when calling from native app

问题描述

我的目标是使用Azure AD保护我的Azure功能，并从WPF应用程序中调用它们.

My goal is to secure my Azure Functions with Azure AD and call them from a WPF application.

我有一个具有以下定义的Azure函数:

I have an Azure Function with the following definition :

public IActionResult Run(
        [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)]
        HttpRequest req,
        ILogger log,
        ExecutionContext context,
        ClaimsPrincipal claimsPrincipal)

我注册了Azure AD应用并配置了本机应用身份验证的设置:

I registered an Azure AD App and configured the settings for Native App Authentication :

我在公开API" bladd中配置了我的应用

I configured my app in the "Expose an API" bladd

我还添加了API权限

我将我的应用程序与身份验证/授权刀片中的Azure Functions应用程序关联.

I associated my app in my Azure Functions App in the Authentication / Authorization blade.

我正在WPF应用程序中从Azure AD这样获得令牌(使用Microsoft.Identity.Client库)

I am getting a token from Azure AD like this in a WPF app (using the Microsoft.Identity.Client library)

            string applicationID = "***"; // My AppID Guid
            PublicClientApp = PublicClientApplicationBuilder.Create(applicationID)
                .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
                .Build();

            var listScopes = new List<string>
            {
                //"user.read" - Removed based on @tony-yu recommendation
                $"api://{applicationID}/MyScope"
            };

            var authResult = await PublicClientApp.AcquireTokenInteractive(listScopes)
                                      .ExecuteAsync();

            var myToken = authResult.AccessToken;

我可以毫无问题地进行身份验证，并且可以成功获取令牌，但是每当我调用函数并在Authorization标头中提供令牌(Authorization = Bearer ****)时，我都会得到:

I can authenticate without any problem and I am successfully getting a token but whenever I call my function and I provide my token in the Authorization header (Authorization = Bearer ****), I get :

401-您无权查看此目录或页面.

这就是我所说的(邮递员):

Here's how I call it (Postman) :

这是电话返回时的WWW-Authenticate标头内容

Here is the WWW-Authenticate header content when the call returns

当我检查我获得的令牌时，似乎是合法的

When I check the token I got, it seems legit

知道我做错了什么吗?

推荐答案

因此，由于这篇 SO文章，我终于使它能够正常工作了通过 ambrose-leung

So I finally made it work thanks to this SO article here by ambrose-leung

这篇关于使用Azure AD保护Azure功能-从本机应用程序调用时获取HTTP 401的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！