C# 在使用Azure AD登录后使用WebApp以静默方式获取令牌失败?
我已将WebApp和WebAPI注册到同一Azure广告中 我正在尝试从WebApp调用WebAPI 我已在azure AD应用程序中将服务WebAPI添加到我的WebApp中。如下- 当我运行WebAPI时,登录成功后,它会给我一个登录屏幕,我可以访问WebAPI方法。这是正常的行为 当我运行WebApp时,它将显示相同的登录屏幕,登录成功后,我可以看到WebApp 现在我想从WebApp调用WebAPI方法,但我不希望WebAPI出现登录屏幕,因为当我运行WebApp时,我会看到登录屏幕 在登录之后,我希望通过使用同一个用户,我应该能够访问WebAPI,而无需再次进行登录操作,因为我有一个令牌,它将对这两个用户都有效 WebApp和WebAPI WebAPI代码- Startup.Auth.csC# 在使用Azure AD登录后使用WebApp以静默方式获取令牌失败?,c#,.net,azure,azure-active-directory,C#,.net,Azure,Azure Active Directory,我已将WebApp和WebAPI注册到同一Azure广告中 我正在尝试从WebApp调用WebAPI 我已在azure AD应用程序中将服务WebAPI添加到我的WebApp中。如下- 当我运行WebAPI时,登录成功后,它会给我一个登录屏幕,我可以访问WebAPI方法。这是正常的行为 当我运行WebApp时,它将显示相同的登录屏幕,登录成功后,我可以看到WebApp 现在我想从WebApp调用WebAPI方法,但我不希望WebAPI出现登录屏幕,因为当我运行WebApp时,我会看到登录屏幕
public partial class Startup
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
private static string aadInstance = EnsureTrailingSlash(ConfigurationManager.AppSettings["ida:AADInstance"]);
private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
public static readonly string Authority = aadInstance + tenantId;
// This is the resource ID of the AAD Graph API. We'll need this to request a token to call the Graph API.
string graphResourceId = "https://graph.windows.net";
public void ConfigureAuth(IAppBuilder app)
{
ApplicationDbContext db = new ApplicationDbContext();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = Authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
AuthorizationCodeReceived = (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId).Result;
return Task.FromResult(0);
}
}
});
}
private static string EnsureTrailingSlash(string value)
{
if (value == null)
{
value = string.Empty;
}
if (!value.EndsWith("/", StringComparison.Ordinal))
{
return value + "/";
}
return value;
}
}
[Authorize]
public class TestController : ApiController
{
[HttpGet]
[Route("api/getdata")]
public IEnumerable<string> GetData()
{
return new string[] { "value1", "value2" };
}
}
[Authorize]
public class HomeController : Controller
{
private static string clientIdWebApp = ConfigurationManager.AppSettings["ida:clientIdWebApp"];
private static string clientIdWebApi = ConfigurationManager.AppSettings["ida:clientIdWebApi"];
private static string clientSecretWebApp = ConfigurationManager.AppSettings["ida:clientSecretWebApp"];
private static string aadInstance = (ConfigurationManager.AppSettings["ida:AADInstance"]);
private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
private static string PostLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
Uri redirectUri = new Uri(PostLogoutRedirectUri);
public static readonly string Authority = aadInstance + tenantId;
public ActionResult Index()
{
return View();
}
public async System.Threading.Tasks.Task<ActionResult> About()
{
ViewBag.Message = "Your application description page.";
try
{
AuthenticationResult result = null;
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new ADALTokenCache(userObjectID));
ClientCredential credential = new ClientCredential(clientIdWebApp, clientSecretWebApp);
//AcquireTokenSilentAsync should have to work as i'm accessing WebAPI using same user I logged in to WebApp
result = authContext.AcquireTokenSilentAsync(clientIdWebApi,credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId)).Result;
// gettign exception {"Failed to acquire token silently as no token was found in the cache. Call method AcquireToken"} but I got match id into cache.
// and if use AcquireToken instead then it works but api response is login html //page instead of api output
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "https://MYWEBAPI/api/getdata");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
// Return the user's profile in the view.
if (response.IsSuccessStatusCode)
{
string responseString = await response.Content.ReadAsStringAsync();
}
}
catch (AdalException ex)
{
}
return View();
}
}
[Authorize]
public class TestController : ApiController
{
[HttpGet]
[Route("api/getdata")]
public IEnumerable<string> GetData()
{
return new string[] { "value1", "value2" };
}
}
[Authorize]
public class HomeController : Controller
{
private static string clientIdWebApp = ConfigurationManager.AppSettings["ida:clientIdWebApp"];
private static string clientIdWebApi = ConfigurationManager.AppSettings["ida:clientIdWebApi"];
private static string clientSecretWebApp = ConfigurationManager.AppSettings["ida:clientSecretWebApp"];
private static string aadInstance = (ConfigurationManager.AppSettings["ida:AADInstance"]);
private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
private static string PostLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
Uri redirectUri = new Uri(PostLogoutRedirectUri);
public static readonly string Authority = aadInstance + tenantId;
public ActionResult Index()
{
return View();
}
public async System.Threading.Tasks.Task<ActionResult> About()
{
ViewBag.Message = "Your application description page.";
try
{
AuthenticationResult result = null;
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new ADALTokenCache(userObjectID));
ClientCredential credential = new ClientCredential(clientIdWebApp, clientSecretWebApp);
//AcquireTokenSilentAsync should have to work as i'm accessing WebAPI using same user I logged in to WebApp
result = authContext.AcquireTokenSilentAsync(clientIdWebApi,credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId)).Result;
// gettign exception {"Failed to acquire token silently as no token was found in the cache. Call method AcquireToken"} but I got match id into cache.
// and if use AcquireToken instead then it works but api response is login html //page instead of api output
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "https://MYWEBAPI/api/getdata");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
// Return the user's profile in the view.
if (response.IsSuccessStatusCode)
{
string responseString = await response.Content.ReadAsStringAsync();
}
}
catch (AdalException ex)
{
}
return View();
}
}
AccountController public class AccountController : BaseMvcController
{
public void SignIn()
{
// Send an OpenID Connect sign-in request.
if (!Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}
public void SignOut()
{
string callbackUrl = Url.Action("SignOutCallback", "Account", routeValues: null, protocol: Request.Url.Scheme);
HttpContext.GetOwinContext().Authentication.SignOut(
new AuthenticationProperties { RedirectUri = callbackUrl },
OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
}
public ActionResult SignOutCallback()
{
if (Request.IsAuthenticated)
{
// Redirect to home page if the user is authenticated.
return RedirectToAction("Index", "Home");
}
return View();
}
}
AcquireTokenSilentAsync- 示例代码首先使用授权代码流获取Web API的有效令牌
- 只有当第一个有效令牌存在时,它才会被缓存,后续调用可以由
处理。这也是样本文档的一部分authContext.AcquireTokenSilentAsync
- 资源ID。在Azure AD中注册web API时创建的web API的应用ID URI
- 令牌缓存。缓存访问令牌的对象。请参阅令牌缓存
public override async Task AuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
string authorizationCode = context.ProtocolMessage.Code;
string authority = "https://login.microsoftonline.com/" + tenantID
string resourceID = "https://tailspin.onmicrosoft.com/surveys.webapi" // App ID URI
ClientCredential credential = new ClientCredential(clientId, clientSecret);
AuthenticationContext authContext = new AuthenticationContext(authority, tokenCache);
AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
authorizationCode, new Uri(redirectUri), credential, resourceID);
// If successful, the token is in authResult.AccessToken
}
AuthenticationContext authContext = new AuthenticationContext(authority, tokenCache);
var result = await authContext.AcquireTokenSilentAsync(resourceID, credential, new UserIdentifier(userId, UserIdentifierType.UniqueId));
在哪里可以在MVC应用程序中编写此
AuthorizationCodeReceivedAuthorizationCodeReceived