WAAD认证用Excel PowerQuery消耗的WebAPI的OData服务 [英] WAAD Authentication with WebAPI OData service consumed by Excel PowerQuery

问题描述

我创建了一个的WebAPI的OData 3.0 Web服务与OWIN中间件，它被配置为使用Windows Azure Active Directory身份验证。
该ODataControllers标有 [授权] 属性和IAppBuilder配置如下：

I've created a WebAPI OData 3.0 web service with an OWIN middleware, which is configured for authentication with Windows Azure Active Directory. The ODataControllers are marked with an [Authorize] attribute, and the IAppBuilder is configured as follows:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                TokenValidationParameters = new TokenValidationParameters {
                    ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
                },
            });

IDA：租户是我的Windows Azure的租赁和 IDA：观众是应用程序ID乌里

ida:Tenant is my Windows Azure tenancy, and ida:Audience is the App ID Uri.

现在我想用Excel PowerQuery消费这项服务，使用来自AzureAD帐户验证。然而，当我选择组织帐户，并尝试登录，我得到以下错误：

Now I would like to consume this service using Excel PowerQuery, authenticating using an account from the AzureAD. However, when I choose "Organizational account" and try to "Sign in", I get the following error:

无法连接。不支持此资源此凭据类型。

Unable to connect. This credential type is not supported for this resource.

在提琴手我可以看到，请求与承载头制造，但它是空的。

In Fiddler I can see that the request is made with a Bearer header, but it is empty.

我想实现类似的查询AzureAD图时，一个行为。

例如，如果我尝试使用 https://graph.windows.net/.onmicrosoft.com/users?api-version=2013-04-05 ，单点登录窗口将打开，并在提琴手我可以看到令牌传递

I would like to achieve a behavior similar to when querying AzureAD Graph.
For example, if I try to consume https://graph.windows.net/.onmicrosoft.com/users?api-version=2013-04-05, a single sign-on window opens, and in Fiddler I can see that a token is passed.

我怎样才能实现这一行为？我缺少什么？

How can I achieve this behavior? what am I missing?

谢谢！

推荐答案

下面是身份验证过程中PowerQuery和OData服务之间的流量预计：

Here is the expected flow between PowerQuery and an OData service during authentication:

• 当你进入URI来在构建器为您服务，单击确定，你会得到一个凭据提示，要求你的凭证来访问该服务。


• 通常情况下，你会选择单位帐户如果Azure中的Active Directory（AAD）是你的身份提供者。



• 当你点击登录，PowerQuery会发送一个质询请求为您服务，承载你看到它是空的。原因是，我们不知道什么是你的身份提供者，或者我们应该在哪里让您登录，该请求被期待用WWW-Authenticate头具有验证端点URL一个四百零三分之四百零一响应。

• When you enter the URI to your service in the builder, click ok, you will get a credential prompt asking for your credentials to access the service.
• Typically, you would choose Organizational Account if Azure Active Directory (AAD) is your Identity Provider.

• When you click sign in, PowerQuery will send a challenge request to your service, which is the empty bearer you are seeing. The reason is, we don't know what's your identity provider or where should we log you in, the request is expecting a 401/403 response with a WWW-Authenticate header that has the authentication endpoint url.

下面是预期的标题格式：WWW验证authorization_uri =令牌服务URI的报价是可选的。如果我们没有发现头，你会得到错误信息无法连接。此凭据类型不被支持。

Here is the expected header format:WWW-Authenticate authorization_uri="token service uri" quotes are optional. If we don't find that header, you get the error message 'Unable to connect. This credential type is not supported'.

有关于你的AAD应用程序对象两个重要的事情，使这项工作：

There are two important things regarding your application object in AAD to make this work:

• 的AppIdUris属性必须有一个通配符的URI将匹配与您的服务URI。当我们发送的登录请求，我们必须包括资源ID，资源是我们连接到服务的权威。所以，如果你的服务URL是：myservice.com/myODatafeed.svc，授权，包括方案，主机和端口号，myservice.com/将是权威。对于可能有不同。例如租户服务：company1.myservice.com的AppIdUri必须有HTTPS：//*.myservice.com。否则，只需 https://myservice.com 。


• 第二件事情（这是在特定的AAD），AAD不支持第一方客户端（PowerQuery），以第三方服务（为您服务）认证今天。但希望很快就好了:)也许只是当你得到休息做！）

这篇关于WAAD认证用Excel PowerQuery消耗的WebAPI的OData服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！