ASP.NET Core 3.1 如何使用 Azure AD B2C 返回 401 Unauthorized 而不是 Challenge

Question

在我的 API 控制器中，我希望该[Authorize]属性返回 401 Unauthorized，而不是强制执行 Azure AD B2C 登录质询，并将该响应返回到我的前端（对 API 进行 ajax 调用）。

由于 Azure CORS 策略，质询重定向不起作用。我找到了多个答案，但似乎都不起作用（未返回 401，它仍然尝试重定向到 Azure B2C 挑战）。

API控制器：

[Route("api/[controller]")]
[ApiController]
[Authorize]
public class HierarchyController : ControllerBase
// ...

这是我当前的Startup.ConfigureServices代码：

// ...
services.Configure<AzureADB2COptions>(opt => 
            Configuration.GetSection("AzureAdB2C").Bind(opt));

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
            .AddAzureADB2C(opt => Configuration.Bind("AzureAdB2C", opt))
            .AddCookie(opt =>
            {
                opt.Events = new CookieAuthenticationEvents
                {
                    OnRedirectToLogin = ctx =>
                    {
                        ctx.Response.StatusCode = 401;
                        return Task.CompletedTask;
                    }
                };
            });

我也尝试过使用：

services.ConfigureApplicationCookie(options =>
        {
            options.Events.OnRedirectToLogin = context =>
            {
                context.Response.Headers["Location"] = context.RedirectUri;
                context.Response.StatusCode = 401;
                return Task.CompletedTask;
            };
        });

在这两种情况下都切换OnRedirectToLogin为OnRedirectToAccessDenied. 这些都不起作用。这些事件中的断点永远不会被命中，并且在执行未经授权的 API 调用后，我收到此错误：

Access to XMLHttpRequest at <MY_B2C_ADDR> (redirected from 'https://localhost:44394/api/Hierarchy') from origin 'https://localhost:44394' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

编辑： ConfigureServices

// ...
app.UseRouting(); 

app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
      endpoints.MapControllerRoute(
           name: "default",
           pattern: "{controller}/{action=Index}/{id?}");
});

Answer 1

对于任何人（或我）将来阅读 - 我已经解决了这个问题。在ConfigureServices做：

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = AzureADB2CDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultSignOutScheme = AzureADB2CDefaults.AuthenticationScheme;
        })
            .AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options))
            .AddCookie(options =>
            {
                options.Events = new CookieAuthenticationEvents
                {
                    OnRedirectToLogin = context =>
                    {
                        if (context.Request.Path.StartsWithSegments("/api"))
                        {
                            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
                        }
                        else
                        {
                            context.Response.Redirect(context.RedirectUri);
                        }

                        return Task.FromResult(0);
                    }
                };
            });