問題描述

我創建了一個使用 Azure AD 作為標識的 .NET 核心 Web 應用程序.這一切都按預期正常工作，并且我使用 [Authroize] 裝飾的任何東西都受到保護.

我現在想要確保我的一個 API 控制器可以從外部服務訪問.

我遵循了解釋服務服務身份驗證的本教程.

一些額外的點

• 我的網絡應用和令牌的 POST 使用相同的 AD ClientID
• 我為每個功能(Web 和服務到服務)嘗試了不同的 AD 應用程序，但似乎沒有任何區別
• 如果我只是在瀏覽器上執行標準登錄，API 端點會按預期解析.

感謝任何幫助！

更新:

我設法嘗試了 Daemon .NET 4.5 應用程序，它使用 UseWindowsAzureActiveDirectoryBearerToken 完美運行

守護進程服務在 .NET 4.5 上提供身份驗證服務p>

但是在我的 .NET Core 應用程序中，該中間件不可用，因此我嘗試使用 JwtBearer 中間件，但仍然收到登錄提示.

app.UseJwtBearerAuthentication(new JwtBearerOptions{觀眾 = "https://localhost:44392",授權 = "https://login.microsoftonline.com/{TENANTNAME}.onmicrosoft.com"});

如您所見，我只在 BearerOptions 中設置了 2 個屬性，但我相信它們應該足以 [Authorize] 我的 API 端點.

POST https://login.microsoftonline.com/{CLIENTID}/oauth2/token

首先獲取token時token點不正確，我們應該使用tenantId而不是clientId.

為了解決這個問題，我建議您從 this site 解碼 access_token 以查看 aud 聲明與您在 Web API 項目中配置的 Audience 相同.

Ive created a .NET core web app which is using Azure AD for the identity. This is all working fine as expected and anything I decorate using [Authroize] is protected.

I am now wanting to secure one of my API controllers to be accessible from an external service.

I followed this tutorial which explains service-service authentication.

Service to service auth with Azure AD

Using this I have managed to request a token

POST https://login.microsoftonline.com/{TENANTID}/oauth2/token
grant_type=client_credentials
&client_id={CLIENTID}
&client_secret={CLIENTSECRET}
&resource=https%3A%2F%mydirectory.onmicrosoft.com/myappname

Running this with postman, I get the Bearer access_token so looks good.

Now if I call my web app in Postman with this bearer token on the header,

GET https://localhost:44392/api/booking
Authorization Bearer {access_token}

I get a HTML response from one the Microsoft dialogues. So it seems it is just going into the redirect loop, so I am now confused on whether I have a configuration problem in the token request, or whether my web app needs to be setup in a different way. The article here mentions something about permissions in the manifest file, but I am confused why this would be necessary?

enter link description here

Some additional points

• My web app and the POST for the token use the same AD ClientID
• I tried different AD Apps for each feature (Web and Service-to-Service) but didnt seem to make any difference
• If I just perform a standard login on the browser, the API endpoint resolves as expected.

Any assistance appreciated!

Updates:

I managed to try the Daemon .NET 4.5 app and this worked flawlessly using the UseWindowsAzureActiveDirectoryBearerToken

Daemon Service to service auth on .NET 4.5

However in my .NET Core app, this middleware isn't available so I tried using JwtBearer middleware but I still get the login prompt.

app.UseJwtBearerAuthentication(new JwtBearerOptions
            {
                Audience = "https://localhost:44392",
                Authority = "https://login.microsoftonline.com/{TENANTNAME}.onmicrosoft.com"
            });

As you can see, I have only set 2 properties in the BearerOptions but I believe they should have been enough to [Authorize] my API endpoint.

POST https://login.microsoftonline.com/{CLIENTID}/oauth2/token

First the token point is incorrect when you acquire the token, we should use tenantId instead of clientId.

And to troubleshoot this issue, I suggest that you decode the access_token from this site to see whether the aud claim in the token is same as Audience you config in the web API project.

這篇關于使用 Azure AD 和 WebAPI 的服務到服務身份驗證的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！