問題描述
我們正在使用 OAuth 2.0Azure Active Directory 上的身份驗證代碼授權 以對我們的 Web 應用程序中的用戶進行身份驗證.
We are using OAuth 2.0 auth code grant on Azure Active Directory to authenticate the users in our web application.
這工作沒有問題,但現在 AD 維護想要部署多因素身份驗證.我們當前的 OAuth 實施與此不符.
This has worked without problems, but now the AD maintenance wants to deploy a multi-factor authentication. Our current OAuth implementation is not in line with that.
這是我們的代碼:
public static ActionResult LogOn()
{
string authorizationUrl = string.Format(
"https://login.windows.net/{0}/oauth2/authorize?api-version=1.0&response_type=code&response_mode=query&client_id={1}&scope={2}&redirect_uri={3}",
HttpUtility.UrlEncode(azureActiveDirectoryTenant),
HttpUtility.UrlEncode(azureActiveDirectoryClientId),
HttpUtility.UrlEncode("https://graph.microsoft.com/v1.0/me/"),
HttpUtility.UrlEncode(azureActiveDirectoryCodeRedirectURL) // refers to Code() below
);
return new RedirectResult(authorizationUrl, false);
}
public async Task<ActionResult> Code(string code = null, string state = "", string error = null, string error_description = null)
{
if (String.IsNullOrEmpty(error))
{
if (String.IsNullOrWhiteSpace(code))
{
return LogOn();
}
AuthenticationContext ctx = new AuthenticationContext("https://login.microsoftonline.com/" + azureActiveDirectoryTenant);
ClientCredential clcred = new ClientCredential(azureActiveDirectoryClientId, azureActiveDirectoryClientKey);
try
{
var ar = await ctx.AcquireTokenByAuthorizationCodeAsync(code, new Uri(azureActiveDirectoryCodeRedirectURL), clcred, "https://graph.windows.net");
string email = ar.UserInfo.DisplayableId;
using (WebClient client = new WebClient())
{
client.Headers.Add("Authorization", "Bearer " + ar.AccessToken);
Stream data = client.OpenRead(new Uri("https://graph.windows.net/me?api-version=1.6"));
StreamReader reader = new StreamReader(data);
Dictionary<string, dynamic> values = JsonConvert.DeserializeObject<Dictionary<string, dynamic>>(reader.ReadToEnd());
data.Close();
reader.Close();
... act on values and redirect...
}
}
catch (AdalServiceException ex)
{
// We come here!
ViewBag.ErrorMessage = String.Format("Exception: ErrorCode: {0}, StatusCode: {1}, Message: {2}.", ex.ErrorCode, ex.StatusCode, ex.Message);
...
}
}
return View("OAuthError");
}
還有錯誤信息:
ErrorCode: interaction_required, StatusCode: 400, Message: AADSTS50076: Due
to a configuration change made by your administrator, or because you moved to a
new location, you must use multi-factor authentication to access '00000002-0000-
c000-0000000000000'.
本文檔 正在討論 AAD 的條件訪問并提到聲明"作為解決方案.
This document is discussing conditional access on AAD and mentions 'claims' as a solution.
如何將聲明合并到上面的代碼中以使其工作?
How does one incorporate claims to the code above to make it work?
推薦答案
根據 Microsoft 文檔:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60
Per Microsoft docs: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60
您可以將 amr_values=ngcmfa 添加到授權 URL 以強制執行 MFA.
You can add amr_values=ngcmfa to the authorization URL to force MFA.
您還可以添加 amr_values=mfa 以要求用戶已通過 MFA,盡管它可能在不久前發生.
You can also add amr_values=mfa to require that the user has gone through MFA, though it may have happened a while ago.
您還應該檢查令牌是否包含mfa";在 amr 索賠中.(因為用戶可以刪除參數)
You should also then check that the token does contain "mfa" in the amr claim. (since the user could just remove the parameter)
這篇關于如何使 OAuth2 在 .net 上通過多因素身份驗證適用于 Azure Active Directory?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!