具有基于客户端证书或基于 AAD 令牌的身份验证的 Azure 应用服务
[英]Azure appservice with Client certificate based or AAD token based authentication
问题描述
Need client certificate based or AAD token based authentication enabled web api hosted in azure app service.
需要基于客户端证书或基于 AAD 令牌的身份验证启用 web api,托管在 azure 应用服务中。
I am migrating one web API from classic cloud service to azure app service.我正在将一个 Web API 从经典云服务迁移到 azure 应用程序服务。 The API supports calls with valid certificates or valid AAD token. API 支持使用有效证书或有效 AAD 令牌的调用。 Code is given below:代码如下:
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
ClaimsPrincipal principal;
var cert = request.GetClientCertificate();
if (cert != null)
{
//authenticate client certificate
//Set principal from client certificate
}
else
{
//get AAD token
//authenticate & set principal
}
return await base.SendAsync(request, cancellationToken);
}
The issue is in App service for certificate based calls request.GetClientCertificate() is returning null instead of X509Certificate2 object.问题在于基于证书的调用 request.GetClientCertificate() 的应用服务返回 null 而不是 X509Certificate2 对象。 So not able to authenticate certificate based calls.因此无法验证基于证书的调用。
I have tried below link as well but in that case calling without certificate is not possible as its making required SSL certificate on for whole website.我也尝试过以下链接,但在这种情况下,无法在没有证书的情况下调用,因为它为整个网站制作所需的 SSL 证书。 https://docs.microsoft.com/en-us/azure/app-service-web/app-service-web-configure-tls-mutual-auth https://docs.microsoft.com/en-us/azure/app-service-web/app-service-web-configure-tls-mutual-auth
1 个解决方案
解决方案1
0 2017-07-25 13:20:05
There are lot of details missing in your explanation.您的解释中缺少很多细节。 The shared code snippet is useless.共享代码片段是无用的。
In Azure App Service , there is a which sits in front of the VM where the application is hosted.在Azure 应用服务中,有一个位于托管应用程序的 VM 前面。 When you enable TLS Mutual Auth for your web app, it is enabled for the entire app.当您为 Web 应用程序启用TLS 相互身份验证时,它会为整个应用程序启用。 Currently there is no option to do it for specific pages or sub-folders.目前没有针对特定页面或子文件夹执行此操作的选项。
When the clients accesses the site, the Front-End prompts them for the client certificate.当客户端访问站点时,前端会提示他们输入客户端证书。 Assuming the client provides the certificate to the Front-End , it then passes this certificate to the back end VM in the form of a host header " X-ARR-ClientCert ".假设客户端向Front-End提供证书,然后它以主机头“ X-ARR-ClientCert ”的形式将此证书传递给后端 VM。
I dont see this being used anywhere in the above code snippet.我没有看到在上面的代码片段中的任何地方使用了它。 This is also explained in the article ( Azure App Service TLS Mutual Auth ) which you have linked in your question:您在问题中链接的文章( Azure App Service TLS Mutual Auth )中也对此进行了解释:
protected void Page_Load(object sender, EventArgs e)
{
NameValueCollection headers = base.Request.Headers;
certHeader = headers["X-ARR-ClientCert"];
if (!String.IsNullOrEmpty(certHeader))
{
try
{
byte[] clientCertBytes = Convert.FromBase64String(certHeader);
certificate = new X509Certificate2(clientCertBytes);
You need to read the contents X-ARR-ClientCert header and then convert it to a X509Certificate2 object and then run your checks against this.您需要读取内容X-ARR-ClientCert标头,然后将其转换为X509Certificate2对象,然后针对此对象运行检查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.