[英]How to validate user credentials in Azure AD with Web application / WebAPI
I have a web application. 我有一个Web应用程序。 In the home page, user will enter the credentials, and system should validate against Azure AD and proceed further.
在主页中,用户将输入凭据,系统应针对Azure AD进行验证并进一步进行操作。
When I use a native app, and use UserCredentials
, it validates the user, but if I use same approach for WebAPI, it throw the exception 当我使用本机应用程序并使用
UserCredentials
,它将验证用户,但是如果我对WebAPI使用相同的方法,则会引发异常
The request body must contain the following parameter: 'client_secret or client_assertion'
请求正文必须包含以下参数:'client_secret或client_assertion'
When I use the WebAPI using clientCredentials
, it generates the accessToken, which do not validate the user credentials. 当我使用带
clientCredentials
的WebAPI clientCredentials
,它会生成accessToken,它不会验证用户凭据。 I also tried passing the credentials as part of httpclient headers in the consequent calls, it is working despite the wrong credentials. 我还尝试在后续调用中将凭据作为httpclient标头的一部分传递,尽管凭据错误,它仍可以正常工作。
string AzureADSTSURL = "https://login.windows.net/{0}/oauth2/token?api-version=1.0";
string GraphPrincipalId = "https://graph.windows.net";
string userid = "userid";
string password = "pass";
string tenantId = "axxx"; // webapi
string clientId = "bxxx";
string clientSecret = "cxxx";
string authString = String.Format(AzureADSTSURL, tenantId);
var context = new AuthenticationContext(authString);
UserCredential userCredentials = new UserCredential(userid, password);
AuthenticationResult authenticationResult = context.AcquireToken(GraphPrincipalId.ToString(), clientId, userCredentials); // this works only if the clientId corresponds to a native app
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
AuthenticationResult result = context.AcquireToken(GraphPrincipalId, clientCredential);
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(result.AccessToken, Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(userid + ':' + password)));
httpClient.GetAsync("http://localhost:11455/Login.aspx");
Is there a way to validate the credentials without using native app? 有没有一种方法可以在不使用本机应用程序的情况下验证凭据? Graph API is not a right choice for this I believe.
我认为,Graph API不是正确的选择。
I was trying to do the same thing, and ran into the same error: 我试图做同样的事情,并遇到了同样的错误:
The request body must contain the following parameter: 'client_secret or client_assertion'
请求正文必须包含以下参数:'client_secret或client_assertion'
I banged my head on it for a while, and then hit up AzureSupport on twitter. 我敲了一下头,然后在Twitter上打了AzureSupport。
Turns out this type of auth is only supported if you set up the Azure AD App as Native Client Application
. 事实证明,只有在将Azure AD应用程序设置为本
Native Client Application
程序时,才支持这种身份验证。 If you set it up as a Web Application
then you get that error because the only way to access a web application in Azure AD is via client ID + secret. 如果将其设置为
Web Application
则会出现该错误,因为在Azure AD中访问Web应用程序的唯一方法是通过客户端ID +机密。
You can have multiple apps on top of a single AD, so you can just set up a second app as native client to authenticate the same users in that directory. 您可以在一个AD上拥有多个应用程序,因此只需将第二个应用程序设置为本地客户端即可对该目录中的相同用户进行身份验证。
You can certainly use WebAPI. 您当然可以使用WebAPI。 Here's how to set it up:
设置方法如下:
If you use Azure Web Apps, which supports ASP.NET MVC then you can use the Azure Active Directory authentication mechanism. 如果使用支持ASP.NET MVC的Azure Web Apps,则可以使用Azure Active Directory身份验证机制。 Here is a blog post describing how to set it up: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
这是描述其设置方法的博客文章: https : //azure.microsoft.com/zh-cn/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Once you have that, auth will be enabled for your app and you can configure the AAD app in the portal. 完成后,将为您的应用程序启用身份验证,并且您可以在门户中配置AAD应用程序。 See this blog post for more details: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
有关更多详细信息,请参见此博客文章: http : //blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles。 aspx
Here is an example which shows how to read AAD group claims from a web app: https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims 这是显示如何从Web应用程序读取AAD组声明的示例: https : //github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
Once you have the tokens, you can then call a Web API, which is shown by this example: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect 获得令牌后,就可以调用此示例显示的Web API: https : //github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect
There's a good list of AAD examples here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/ 这里有一个很好的AAD示例列表: https : //azure.microsoft.com/zh-cn/documentation/articles/active-directory-authentication-scenarios/
Short answer: No 简短答案:否
I would consider this article to be the authoritive answer as to why. 我认为这篇文章是为什么的权威答案。
No web sites/confidential clients
没有网站/机密客户
This is not an ADAL limitation, but an AAD setting.这不是ADAL限制,而是AAD设置。 You can only use those flows from a native client.
您只能使用来自本机客户端的流。 A confidential client, such as a web site, cannot use direct user credentials.
机密客户端(例如网站)不能使用直接用户凭据。
Direct use of username an password is [...] a bit of a Faustian pact – the price you pay for its directness is in the many limitations it entails and the reduced flexibility that it imposes on any solution relying on it.
daccess-ods.un.org daccess-ods.un.org直接使用用户名和密码是浮士德条约的一部分–您因直接性而付出的代价是它受到许多限制,并且依赖于该解决方案的灵活性降低。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.