mas*_*asa 2 .net oauth oauth-2.0 azure-active-directory
我们在 Azure Active Directory 上使用OAuth 2.0 身份验证代码授权来对我们的 Web 应用程序中的用户进行身份验证。
这没有问题,但现在 AD 维护人员想要部署多因素身份验证。我们当前的 OAuth 实现与此不符。
这是我们的代码:
public static ActionResult LogOn()
{
string authorizationUrl = string.Format(
"https://login.windows.net/{0}/oauth2/authorize?api-version=1.0&response_type=code&response_mode=query&client_id={1}&scope={2}&redirect_uri={3}",
HttpUtility.UrlEncode(azureActiveDirectoryTenant),
HttpUtility.UrlEncode(azureActiveDirectoryClientId),
HttpUtility.UrlEncode("https://graph.microsoft.com/v1.0/me/"),
HttpUtility.UrlEncode(azureActiveDirectoryCodeRedirectURL) // refers to Code() below
);
return new RedirectResult(authorizationUrl, false);
}
public async Task<ActionResult> Code(string code = null, string state = "", string error = null, string error_description = null)
{
if (String.IsNullOrEmpty(error))
{
if (String.IsNullOrWhiteSpace(code))
{
return LogOn();
}
AuthenticationContext ctx = new AuthenticationContext("https://login.microsoftonline.com/" + azureActiveDirectoryTenant);
ClientCredential clcred = new ClientCredential(azureActiveDirectoryClientId, azureActiveDirectoryClientKey);
try
{
var ar = await ctx.AcquireTokenByAuthorizationCodeAsync(code, new Uri(azureActiveDirectoryCodeRedirectURL), clcred, "https://graph.windows.net");
string email = ar.UserInfo.DisplayableId;
using (WebClient client = new WebClient())
{
client.Headers.Add("Authorization", "Bearer " + ar.AccessToken);
Stream data = client.OpenRead(new Uri("https://graph.windows.net/me?api-version=1.6"));
StreamReader reader = new StreamReader(data);
Dictionary<string, dynamic> values = JsonConvert.DeserializeObject<Dictionary<string, dynamic>>(reader.ReadToEnd());
data.Close();
reader.Close();
... act on values and redirect...
}
}
catch (AdalServiceException ex)
{
// We come here!
ViewBag.ErrorMessage = String.Format("Exception: ErrorCode: {0}, StatusCode: {1}, Message: {2}.", ex.ErrorCode, ex.StatusCode, ex.Message);
...
}
}
return View("OAuthError");
}
和错误信息:
ErrorCode: interaction_required, StatusCode: 400, Message: AADSTS50076: Due
to a configuration change made by your administrator, or because you moved to a
new location, you must use multi-factor authentication to access '00000002-0000-
c000-0000000000000'.
本文档讨论了 AAD 上的条件访问,并提到了“声明”作为解决方案。
如何将声明合并到上述代码中以使其工作?
根据 Microsoft 文档:https : //docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60
您可以添加amr_values=ngcmfa到授权 URL 以强制 MFA。
您还可以添加amr_values=mfa要求用户已经通过 MFA,尽管它可能已经发生了一段时间。
然后,您还应该检查令牌在 amr 声明中是否包含“mfa”。(因为用户可以删除参数)
| 归档时间: |
|
| 查看次数: |
2036 次 |
| 最近记录: |