如何将应用程序注册客户端ID放入Azure AD令牌中?
我有一个ASP.NET核心API,我想在其中使用Azure AD身份验证。 我已创建应用程序注册,并为我的API提供了以下配置:如何将应用程序注册客户端ID放入Azure AD令牌中?,azure,asp.net-core,azure-active-directory,Azure,Asp.net Core,Azure Active Directory,我有一个ASP.NET核心API,我想在其中使用Azure AD身份验证。 我已创建应用程序注册,并为我的API提供了以下配置: "AzureAd": { "TenantId": "<tenantid>", "ClientId": "api://<clientid>", // tried it with only the guid clientid as
"AzureAd": {
"TenantId": "<tenantid>",
"ClientId": "api://<clientid>", // tried it with only the guid clientid as well
},
我的问题是,当我登录azure AD时,我令牌中的受众将是00000002-0000-0000-c000-000000000000(AAD图形API的Id),而不是应用注册的客户端Id
我正在使用swagger测试身份验证:
app.UseSwaggerUi3(config =>
{
config.OAuth2Client = new NSwag.AspNetCore.OAuth2ClientSettings
{
ClientId = Configuration["AzureAd:ClientId"],
ClientSecret = string.Empty,
UsePkceWithAuthorizationCodeGrant = true,
ScopeSeparator = " "
};
});
招摇过市文档配置:
services
.AddOpenApiDocument(c =>
{
c.AddSecurity("OAuth2", new OpenApiSecurityScheme
{
OpenIdConnectUrl = $"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
Scheme = "Bearer",
Type = OpenApiSecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
AuthorizationCode = new OpenApiOAuthFlow
{
AuthorizationUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/authorize",
TokenUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/token",
Scopes = new Dictionary<string, string>
{
{ "api://<client id>/Api.Read", "api://<client id>/Api.Read" }
}
}
}
});
})
服务
.AddOpenApiDocument(c=>
{
c、 AddSecurity(“OAuth2”,新的OpenApiSecurityScheme
{
OpenIdConnectUrl=$”https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
Scheme=“持票人”,
Type=OpenApiSecuritySchemeType.OAuth2,
Flows=新的OpenAPIOuthFlows
{
AuthorizationCode=新的OpenAPIOuthFlow
{
授权URL=$”https://login.microsoftonline.com/{配置[“AzureAd:TenantId”]}/oauth2/authorize”,
令牌URL=$”https://login.microsoftonline.com/{配置[“AzureAd:TenantId”]}/oauth2/token”,
范围=新字典
{
{ "api:///Api.Read", "api:///Api.Read" }
}
}
}
});
})
根据请求程序,请求者的客户端Id包含在appid
(v1令牌)或azp
(v2令牌)声明中。您观察到的行为是正确的,因为观众是预期验证令牌并提供所需资源访问权限的一方的Id。在评论中讨论后,找到了有效的解决方案:
AuthorizationUrl=$”https://login.microsoftonline.com/{配置[“AzureAd:TenantId”]}/oauth2/v2.0/authorize“,
令牌URL=$”https://login.microsoftonline.com/{配置[“AzureAd:TenantId”]}/oauth2/v2.0/token“,
范围=新字典
{
{ "api:///Api.Read", "api:///Api.Read" }
}
您需要为前端应用程序中的API请求令牌。您可以演示如何获取令牌。您可以转到API应用程序注册,公开API,添加作用域,然后在请求令牌时使用该作用域。谢谢您的回答,我已经尝试过了,但没有成功。我已经更新了这个问题,以使用v2.0授权和令牌URL,例如https://login.microsoftonline.com/{Configuration[“AzureAd:TenantId”]}/oauth2/v2.0/token
它可以工作!谢谢你的帮助,这是一个很容易错过的细节。
services
.AddOpenApiDocument(c =>
{
c.AddSecurity("OAuth2", new OpenApiSecurityScheme
{
OpenIdConnectUrl = $"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
Scheme = "Bearer",
Type = OpenApiSecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
AuthorizationCode = new OpenApiOAuthFlow
{
AuthorizationUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/authorize",
TokenUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/token",
Scopes = new Dictionary<string, string>
{
{ "api://<client id>/Api.Read", "api://<client id>/Api.Read" }
}
}
}
});
})
AuthorizationUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/authorize",
TokenUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/token",
Scopes = new Dictionary<string, string>
{
{ "api://<client id>/Api.Read", "api://<client id>/Api.Read" }
}