在Azure中调用web api时承载令牌不工作
从Azure中的Web应用程序获取API应用程序调用工作时遇到问题。下面是事情的结构-在Azure中调用web api时承载令牌不工作,azure,asp.net-web-api,azure-api-apps,Azure,Asp.net Web Api,Azure Api Apps,从Azure中的Web应用程序获取API应用程序调用工作时遇到问题。下面是事情的结构- Asp.Net Core 1.1 Web应用程序受Azure AD身份验证保护-使用Kestrel在本地运行 web应用的StartUp.cs具有以下代码,用于将令牌获取到web api app.UseCookieAuthentication(); app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
app.UseCookieAuthentication();
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
ClientId = ClientId, //Client Id of my current web app
ClientSecret = ClientSecret, //ClientSecret of my current web app
Authority = "https://login.microsoftonline.com/tenantguid", CallbackPath = Configuration[Constants.ApplicationProxyCallbackPath],
ResponseType = OpenIdConnectResponseType.CodeIdToken,
Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
OnRemoteFailure = OnAuthenticationFailed
}
});
对于OnAuthorizationCodeReceived方法,这是我的代码
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
string userObjectId = (context.Ticket.Principal.FindFirst(Constants.ClaimsSchemaUri))?.Value;
ClientCredential clientCred = new ClientCredential(ClientId, ClientSecret);
AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectId, context.HttpContext.Session));
AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
context.ProtocolMessage.Code,
new Uri(context.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]),
clientCred,
WebAPIClientId);
}
使用上面的代码,我可以成功地获得承载令牌
Task<string> results = null;
string resultSet = String.Empty;
AuthenticationResult authResult = null;
string userObjectID = (currentUser.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID, current.Session));
ClientCredential credential = new ClientCredential(Startup.ClientId, Startup.ClientSecret);
authResult = await authContext.AcquireTokenSilentAsync(Startup.SearchAPIClientId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
//var callerIdentity = currentUser.Identity as WindowsIdentity;
HttpClientHandler handler = null;
//Setup async action
Action action = () => {
handler = new HttpClientHandler() { AllowAutoRedirect = true };
//Setup for windows authentication
var client = new HttpClient(handler);
//Add common http headers
client.DefaultRequestHeaders.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8");
client.DefaultRequestHeaders.Add("Accept-Encoding", "gzip, deflate");
client.DefaultRequestHeaders.Add("Accept-Language", "en-US,en;q=0.8");
client.DefaultRequestHeaders.Add("User-Agent", "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
results = client.GetStringAsync("https://myapi.azurewebsites.net/api/search/");
};
action.Invoke();
resultSet = await results as string;
任务结果=null;
string resultSet=string.Empty;
AuthenticationResult authResult=null;
字符串userObjectID=(currentUser.FindFirst(“http://schemas.microsoft.com/identity/claims/objectidentifier)价值;
AuthenticationContext authContext=新的AuthenticationContext(Startup.Authority,new NaiveSessionCache(userObjectID,current.Session));
ClientCredential=新的ClientCredential(Startup.ClientId,Startup.ClientSecret);
authResult=await authContext.AcquireTokenSilentAsync(Startup.SearchAPIClientId,凭证,新用户标识符(userObjectID,UserIdentifierType.UniqueId));
//var callerIdentity=currentUser.Identity作为WindowsIdentity;
HttpClientHandler handler=null;
//设置异步操作
动作动作=()=>{
handler=new HttpClientHandler(){AllowAutoRedirect=true};
//windows身份验证的设置
var client=新的HttpClient(处理程序);
//添加公共http头
client.DefaultRequestHeaders.Add(“Accept”,“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8”);
Add(“接受编码”、“gzip、deflate”);
client.DefaultRequestHeaders.Add(“接受语言”,“en-US,en;q=0.8”);
client.DefaultRequestHeaders.Add(“用户代理”、“Mozilla/5.0(Windows NT 6.2;Win64;x64)AppleWebKit/537.36(KHTML,类似Gecko)Chrome/59.0.3071.115 Safari/537.36”);
client.DefaultRequestHeaders.Authorization=新的AuthenticationHeaderValue(“Bearer”,authResult.AccessToken);
结果=client.GetStringAsync(“https://myapi.azurewebsites.net/api/search/");
};
action.Invoke();
resultSet=将结果作为字符串等待;
“AADSTS50105:应用程序‘源客户端id guid’未分配给应用程序‘目标客户端id guid’的角色。”问题已得到解决,我必须这样做
- 将身份验证方案更改为通过JWTBear
- 这允许我接受来自Web应用的承载令牌,现在Web应用到Api应用的身份验证可以根据需要工作
- 当API应用程序调用另一个下游API应用程序时,我必须使用AcquireTokenAsync传递以下详细信息-ClientId、ClientRedentials和早些时候从Web应用程序接收的访问令牌。此令牌用于构造UserAssertion
通过上述更改,Web应用-->API应用-->下游API应用的调用工作正常。在使用承载令牌提供
授权后,您是否能够从邮递员处访问该API?否,我无法。使用上面代码中生成的令牌,我无法使用Postman拨打电话。您是否收到401或任何其他错误消息?如果令牌有效,那么您应该可以从邮递员处拨打电话。我看到login.microsoftonline.com上出现了302,这可能会有所帮助。