IdentityServer4：从 Azure AD 获取访问令牌

Question

我使用 Azure AD 作为 IdentityServer4 的外部 IdP。要调用受 AzureAd 保护的 API，我需要从 Azure Ad 获取访问令牌。是否可以在登录过程中获取访问令牌并将其保存到声明中？

我正在使用 IdentityServer4 快速入门 UI。我试图在外部令牌的回调方法中捕获访问令牌，但在 HttpContext 或声明或 ProcessLoginCallbackForOidc 方法中没有找到。

IdentityServer4 Azure 广告配置：

services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryApiResources(Config.GetApiResources())
    .AddInMemoryClients(Config.GetClients())
    .AddTestUsers(Config.GetUsers());

services.AddAuthentication()
    .AddOpenIdConnect("oidc", "Azure AD", options =>
    {
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
        options.SignOutScheme = IdentityServerConstants.SignoutScheme;

        options.Authority = "https://login.microsoftonline.com/fredhutch.onmicrosoft.com/";
        options.ClientId = "<client id>";
        options.Resource = "app_id from azure ad";
        options.ClientSecret = "secret from azure ad";
        options.ResponseType = "code id_token";
        options.TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = "sub",
            RoleClaimType = "role"
        };

    });

IdentityServer4 中的客户端配置：

new Client
{
    ClientId = "mvc",
    ClientName = "MVC Client",
    ClientSecrets =
    {
        new Secret("secret".Sha256())
    },
    AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

    RedirectUris = { "http://localhost:49341/signin-oidc" },
    PostLogoutRedirectUris = { "http://localhost:49341/signout-callback-oidc" },

    AllowedScopes = new List<string>
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        "b03d4318-278d-40fc-b6b3-3cf47a0e6f4d"
    },
    AllowOfflineAccess=true
}

客户端（ASP.Net Core MVC）：

services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
    options.SignInScheme = "Cookies";

    options.Authority = "idsrv4url";
    options.ClientId = "mvc";
    options.ClientSecret = "secret";

    options.SaveTokens = true;
    options.ResponseType = "code id_token";

    options.Scope.Clear();
    options.Scope.Add("openid");
    options.Scope.Add("profile");
    options.Scope.Add("b03d4318-278d-40fc-b6b3-3cf47a0e6f4d");
    options.Scope.Add("offline_access");

    options.GetClaimsFromUserInfoEndpoint = true;
    options.SaveTokens = true;

});

Answer 1

针对 Azure AD 的设置是隐式流程，这意味着您只能获得授权代码和 id 令牌（基于您的响应类型 =“code id_token”）。

您需要做的是订阅该OnAuthorizationCodeReceived事件并在此处请求访问令牌。

options.Events.OnAuthorizationCodeReceived= contex => {
    var authCode = contex.ProtocolMessage.Code;
    ...
    // Get token
    ...
};

您可以在此处找到更多信息https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code#use-the-authorization-code-to-request-an-访问令牌