如何使用Web应用程序/ WebAPI验证Azure AD中的用户凭据
[英]How to validate user credentials in Azure AD with Web application / WebAPI
问题描述
I have a web application. 
我有一个Web应用程序。 In the home page, user will enter the credentials, and system should validate against Azure AD and proceed further. 在主页中,用户将输入凭据,系统应针对Azure AD进行验证并进一步进行操作。
When I use a native app, and use UserCredentials , it validates the user, but if I use same approach for WebAPI, it throw the exception 当我使用本机应用程序并使用UserCredentials ,它将验证用户,但是如果我对WebAPI使用相同的方法,则会引发异常
The request body must contain the following parameter: 'client_secret or client_assertion'
When I use the WebAPI using clientCredentials , it generates the accessToken, which do not validate the user credentials. 当我使用带clientCredentials的WebAPI clientCredentials ,它会生成accessToken,它不会验证用户凭据。 I also tried passing the credentials as part of httpclient headers in the consequent calls, it is working despite the wrong credentials. 我还尝试在后续调用中将凭据作为httpclient标头的一部分传递,尽管凭据错误,它仍可以正常工作。
string AzureADSTSURL = "https://login.windows.net/{0}/oauth2/token?api-version=1.0";
string GraphPrincipalId = "https://graph.windows.net";
string userid = "userid";
string password = "pass";
string tenantId = "axxx"; // webapi
string clientId = "bxxx";
string clientSecret = "cxxx";
string authString = String.Format(AzureADSTSURL, tenantId);
var context = new AuthenticationContext(authString);
UserCredential userCredentials = new UserCredential(userid, password);
AuthenticationResult authenticationResult = context.AcquireToken(GraphPrincipalId.ToString(), clientId, userCredentials); // this works only if the clientId corresponds to a native app
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
AuthenticationResult result = context.AcquireToken(GraphPrincipalId, clientCredential);
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(result.AccessToken, Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(userid + ':' + password)));
httpClient.GetAsync("http://localhost:11455/Login.aspx");
Is there a way to validate the credentials without using native app? 有没有一种方法可以在不使用本机应用程序的情况下验证凭据? Graph API is not a right choice for this I believe. 我认为,Graph API不是正确的选择。
3 个解决方案
解决方案1
4 2016-05-16 14:45:37
I was trying to do the same thing, and ran into the same error: 我试图做同样的事情,并遇到了同样的错误:
The request body must contain the following parameter: 'client_secret or client_assertion'
I banged my head on it for a while, and then hit up AzureSupport on twitter. 我敲了一下头,然后在Twitter上打了AzureSupport。
Turns out this type of auth is only supported if you set up the Azure AD App as Native Client Application . 事实证明,只有在将Azure AD应用程序设置为本Native Client Application程序时,才支持这种身份验证。 If you set it up as a Web Application then you get that error because the only way to access a web application in Azure AD is via client ID + secret. 如果将其设置为Web Application则会出现该错误,因为在Azure AD中访问Web应用程序的唯一方法是通过客户端ID +机密。
You can have multiple apps on top of a single AD, so you can just set up a second app as native client to authenticate the same users in that directory. 您可以在一个AD上拥有多个应用程序,因此只需将第二个应用程序设置为本地客户端即可对该目录中的相同用户进行身份验证。
解决方案2
1 2016-02-17 21:59:34
You can certainly use WebAPI. 您当然可以使用WebAPI。 Here's how to set it up: 设置方法如下:
If you use Azure Web Apps, which supports ASP.NET MVC then you can use the Azure Active Directory authentication mechanism. 如果使用支持ASP.NET MVC的Azure Web Apps,则可以使用Azure Active Directory身份验证机制。 Here is a blog post describing how to set it up: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/ 这是描述其设置方法的博客文章: https : //azure.microsoft.com/zh-cn/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Once you have that, auth will be enabled for your app and you can configure the AAD app in the portal. 完成后,将为您的应用程序启用身份验证,并且您可以在门户中配置AAD应用程序。 See this blog post for more details: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx 有关更多详细信息,请参见此博客文章: http : //blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles。 aspx
Here is an example which shows how to read AAD group claims from a web app: https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims 这是显示如何从Web应用程序读取AAD组声明的示例: https : //github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
Once you have the tokens, you can then call a Web API, which is shown by this example: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect 获得令牌后,就可以调用此示例显示的Web API: https : //github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect
There's a good list of AAD examples here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/ 这里有一个很好的AAD示例列表: https : //azure.microsoft.com/zh-cn/documentation/articles/active-directory-authentication-scenarios/
解决方案3
1 2016-02-19 18:38:55
Short answer: No 简短答案:否
I would consider this article to be the authoritive answer as to why. 我认为这篇文章是为什么的权威答案。
No web sites/confidential clients
This is not an ADAL limitation, but an AAD setting.Direct use of username an password is [...] a bit of a Faustian pact – the price you pay for its directness is in the many limitations it entails and the reduced flexibility that it imposes on any solution relying on it.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.