如何挑战Windows Azure Active Directory身份验证?
[英]How to challenge Windows Azure Active Directory authentication?
问题描述
We have a SPA with angularjs 1.6 and asp.net web API. 
我们有一个带有angularjs 1.6和asp.net Web API的SPA。 We use Microsoft Account Authentication in OWIN middleware. 我们在OWIN中间件中使用Microsoft帐户身份验证。
In Startup.Auth.cs 在Startup.Auth.cs中
MicrosoftAccountAuthenticationOptions microsoftAccountAuthenticationOptions = new MicrosoftAccountAuthenticationOptions()
{
Caption = "Connection with your Microsoft account",
ClientId = microsoftAccountAuthenticationConfigurationElement.ClientId,
ClientSecret = microsoftAccountAuthenticationConfigurationElement.ClientSecret,
};
app.UseMicrosoftAccountAuthentication(microsoftAccountAuthenticationOptions);
Our controller method to challenge the authentication 我们的控制器方法挑战认证
[Route("ExternalLogin")]
[HttpPost]
[AllowAnonymous]
public IHttpActionResult ExternalLogin(string authenticationType, string returnUrl)
{
return new ChallengeResult(new List<AuthenticationHeaderValue>(), this)
{
RedirectUri = this.Url.Route("ExternalLoginCallback", new { returnUrl }),
AuthenticationType = authenticationType
};
}
And the ChallengeResult class 还有ChallengeResult类
internal class ChallengeResult : UnauthorizedResult
{
public ChallengeResult(IEnumerable<AuthenticationHeaderValue> challenges, ApiController controller):base(challenges, controller)
{ }
public string AuthenticationType { get; set; }
public string RedirectUri { get; set; }
public override Task<HttpResponseMessage> ExecuteAsync(CancellationToken cancellationToken)
{
HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = this.RedirectUri }, this.AuthenticationType);
return base.ExecuteAsync(cancellationToken);
}
}
This works perfectly. 这很完美。
Now we want add an Office365 authentication. 现在,我们要添加一个Office365身份验证。 So we use Windows Azure Active Directory authentication: 因此,我们使用Windows Azure Active Directory身份验证:
WindowsAzureActiveDirectoryBearerAuthenticationOptions windowsAzureActiveDirectoryBearerAuthenticationOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions()
{
Tenant = windowsAzureActiveDirectoryAuthenticationConfigurationElement.Tenant,
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = windowsAzureActiveDirectoryAuthenticationConfigurationElement.Audience
}
};
app.UseWindowsAzureActiveDirectoryBearerAuthentication(windowsAzureActiveDirectoryBearerAuthenticationOptions);
And we reuse ExternalLogin api to challenge the authentication. 而且,我们重用ExternalLogin api来挑战身份验证。 In this case the client receive a unauthorized result 401 instead of the redirect 302. 在这种情况下,客户端收到未经授权的结果401,而不是重定向302。
My question : Why the authentication challenge doesn't tranform the unauthorized result in redirect result on https://login.microsoftonline.com/ ? 我的问题:为什么身份验证挑战不会在https://login.microsoftonline.com/上的重定向结果中转换未授权的结果?
Note : If use ADAl.js on client side to challenge the authentication then the redirection works. 注意:如果在客户端使用ADAl.js挑战身份验证,则重定向有效。 But I don't wish use the adal.js library 但我不希望使用adal.js库
1 个解决方案
解决方案1
1 已采纳 2018-04-20 07:58:03
In the case of a SPA + API, the API should do Bearer token authentication as you have configured now. 对于SPA + API,该API应该像您现在配置的那样进行Bearer令牌认证。
But the authentication redirect should start from the SPA using ADAL.JS etc. An API should not do 302 redirects for authentication. 但是身份验证重定向应使用ADAL.JS等从SPA开始。API不应执行302重定向以进行身份验证。 If the caller is a program running on a server, what are they supposed to do? 如果调用方是服务器上运行的程序,那么他们应该怎么做? That's why it returns a 401, because authentication failed. 这就是为什么它返回401的原因,因为身份验证失败。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.