Azure Active Directory 与 MVC，客户端和资源标识同一个应用程序 [英] Azure Active Directory with MVC, the client and resource identify the same application

问题描述

跟进这个问题:

如何在 ASP.NET MVC 上执行 Azure Active Directory 单点登录和表单身份验证

我尝试在默认 MVC 4 的登录操作上编写简单代码，该操作同时使用默认表单身份验证和 Azure Active Directory SSO:

I have tried writing the simple code on Login action of default MVC 4 which uses both default Forms Authentication and Azure Active Directory SSO:

public async Task<ActionResult> Login(LoginModel model, string returnUrl)
{
    if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
    {
        return RedirectToLocal(returnUrl);
    }

    authContext = new AuthenticationContext(authority, new TokenCache());
    var result = await authContext.AcquireTokenAsync(resourceId, clientId, new UserCredential(model.UserName, model.Password));

    // more code
}

因此，如果正常登录 WebSecurity.Login 不成功，我会尝试通过使用 ADAL.NET 和以下帖子的凭据(用户名/密码)从 AAD 获取令牌:http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

So if the normal Login WebSecurity.Login is not successful, I try to acquire token from AAD by using ADAL.NET with credential (username/password) following this post: http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

运行应用程序时，我从 Azure 收到错误:

When running application I got the error from Azure:

AADSTS90027:客户端[ClientId]"和资源[ResouceId]"标识同一个应用程序.

AADSTS90027: The client '[ClientId]' and resource '[ResouceId]' identify the same application.

我不确定直接在 MVC 登录操作上使用 ADAL 和凭据是否真的有意义.请有人给我这个东西的提示.

I am not sure whether it really makes sense to use ADAL with credential directly on MVC Login action. Please someone give me a hint on this stuff.

推荐答案

ADAL 并不是为了在 Web 应用程序中实现 Web 登录.ADAL 帮助应用程序获取访问另一个资源的令牌:换句话说，它帮助您的应用程序成为客户端.此外，用户名/密码在 Web 应用程序中不可用，因为它只能在本机应用程序中使用.为了同时使用 FormsAuth 和 Azure AD，请考虑添加 ASP.NET 身份中间件和 OpenId Connect 中间件.OpenId Connect 中间件是用于通过 Azure AD 实现 Web SSO 的库.

ADAL is not meant to achieve web sign-on in a web application. ADAL helps an application to obtain a token for accessing another resource: in other words, it helps your application to be a CLIENT. Moreover, the username/password is not available in web apps as it is meant to be used only in native applications. In order to use both FormsAuth and Azure AD, please consider adding both the ASP.NET identity middleware and the OpenId Connect middleware. The OpenId Connect middleware is the library one should use for achieving web SSO with Azure AD.

这篇关于Azure Active Directory 与 MVC，客户端和资源标识同一个应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！