Jas*_*sen 11 c# oauth-2.0 azure-active-directory asp.net-core microsoft-identity-platform
我有一个 ASP.NET Core 3.1 项目,如以下示例:在 WPF 桌面应用程序中使用 Microsoft 身份平台登录用户并调用 ASP.NET Core Web API。
我使用的是Identity web1.0 版和 Azure AD,单租户应用程序。
我编辑了清单添加,appRoles因为我只请求应用程序令牌,而不是用户令牌:
[... more json ...]
"appId": "<guid>",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Accesses the application.",
"displayName": "access_as_application",
"id": "<unique guid>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "access_as_application"
}
],
"oauth2AllowUrlPathMatching": false,
[... more json ...]
我还启用了idtyp访问令牌声明,以指定这是一个应用程序令牌。:
[... more json ...]
"optionalClaims": {
"idToken": [],
"accessToken": [
{
"name": "idtyp",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": []
[... more json ...]
以下请求是由 Postman 提出的。请注意/.defaultwith 范围的使用,这在与客户端凭据授予流程相关的文档中有所提及。
POST /{tenant_id}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
scope=api%3A%2F%2{client_id}%2F.default
&client_id={client_id}
&grant_type=client_credentials
&client_secret={secret_key}
请求返回一个access_token可以用jwt.ms查看的,看起来像这样,出于安全原因,实际数据已被占位符替换。:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "[...]",
"kid": "[...]"
}.{
"aud": "api://<client_id>",
"iss": "https://sts.windows.net/<tenant_id>/",
"iat": 1601803439,
"nbf": 1601803439,
"exp": 1601807339,
"aio": "[...]==",
"appid": "<app id>",
"appidacr": "1",
"idp": "https://sts.windows.net/<tenant_id>/",
"idtyp": "app",
"oid": "<guid>",
"rh": "[..].",
"roles": [
"access_as_application"
],
"sub": "<guid>",
"tid": "<guid>",
"uti": "[...]",
"ver": "1.0"
}
我注意到上面的令牌不包括scp. 这似乎是正确的,因为这是一个应用程序令牌而不是用户令牌。相反,它包括“角色”,作为应用程序令牌的适当内容。
在access_token现在可以用作一个邮差承载获取:
GET /api/myapi
Host: https://localhost:5001
Authorization: Bearer {access_token}
对此请求的响应是500 internal error。即有些事情是错误的。该access_token像corrent应用长相的原因,所以错误似乎是在ASP.NET 3.1核心控制器端。
ASP.NET 核心 3.1。托管自定义 API 的项目,startup.cs其中包含以下代码:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
// This is added for the sole purpose to highlight the origin of the exception.
services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
var existingOnTokenValidatedHandler = options.Events.OnTokenValidated;
options.Events.OnTokenValidated = async context =>
{
if (context.Principal.Claims.All(x => x.Type != ClaimConstants.Scope)
&& context.Principal.Claims.All(y => y.Type != ClaimConstants.Scp)
&& context.Principal.Claims.All(y => y.Type != ClaimConstants.Roles))
{
// This where the exception originates from:
throw new UnauthorizedAccessException("Neither scope or roles claim was found in the bearer token.");
}
};
});
该appsettings.json项目包括:
"AzureAD": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain.onmicrosoft.com",
"ClientId": "<client_id>",
"TenantId": "<tenant_id>",
"Audience": "api://<client_id>"
},
...控制器看起来像这样:
[Authorize]
[Route("api/[controller]")]
public class MyApiController : Controller
{
[HttpGet]
public async Task<string> Get()
{
return "Hello world!";
}
}
的根本原因500 internal error是抛出了这个异常:IDW10201: Neither scope or roles claim was found in the bearer token.异常。
更新:
(有关更多详细信息,请参阅下面的答案)。
这段关于“使用 Microsoft 标识平台在您的应用程序中实现授权 - 2020 年 6 月”的视频表明缺少的部分是JwtSecurityTokenHandler.DefaultMapInboundClaims = false;需要设置的此标志startup.cs- 例如:
public void ConfigureServices(IServiceCollection services)
{
// By default, the claims mapping will map clain names in the old format to accommodate older SAML applications.
//'http://schemas.microsodt.com/ws/2008/06/identity/clains/role' instead of 'roles'
// This flag ensures that the ClaimsIdentity claims collection will be build from the claims in the token
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
[...more code...]
如果您计划不使用内置范围或角色,这可能会有所帮助。您可以使用下面的 Azure B2C 示例启用“访问控制列表”身份验证。这里有一些官方文档的链接。
将以下内容添加到您的 AD 配置中:
"AllowWebApiToBeAuthorizedByACL": true
例子:
"AzureAdB2C": {
"Instance": "https://xxx.b2clogin.com/",
"ClientId": "xxxx",
"Domain": "xxx.onmicrosoft.com",
"SignUpSignInPolicyId": "xxx",
"AllowWebApiToBeAuthorizedByACL": true
},
ACL/访问控制列表的含义:ACL:https : //en.wikipedia.org/wiki/Access-control_list
视频“使用 Microsoft 身份平台在应用程序中实施授权 - 2020 年 6 月”概述了缺少的部分是JwtSecurityTokenHandler.DefaultMapInboundClaims = false;需要设置的标志startup.cs- 例如:
public void ConfigureServices(IServiceCollection services)
{
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
// By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.
//'http://schemas.microsodt.com/ws/2008/06/identity/clains/role' instead of 'roles'
// This flag ensures that the ClaimsIdentity claims collection will be build from the claims in the token
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
// Notice that this part is different in the video,
// however in this context the following seems to be
// the correct way of setting the RoleClaimType:
services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
// The claim in the Jwt token where App roles are available.
options.TokenValidationParameters.RoleClaimType = "roles";
});
[... more code ...]
}
替代方案1
还可以为整个应用程序设置授权,如下所示startup.cs:
services.AddControllers(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireClaim("roles", "access_as_application")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
替代方案2
也可以使用这样的策略:
services.AddAuthorization(config =>
{
config.AddPolicy("Role", policy =>
policy.RequireClaim("roles", "access_as_application"));
});
现在可以在控制器请求上使用此策略,如下所示:
[HttpGet]
[Authorize(Policy = "Role")]
public async Task<string> Get()
{
return "Hello world!";
}
文档中的更多内容:基于策略的角色检查。
| 归档时间: |
|
| 查看次数: |
6345 次 |
| 最近记录: |