添加 Azure AD 连接服务会覆盖 AAD 门户中的重定向 URI
[英]Adding Azure AD connected service overwrites Redirect URIs in AAD Portal
问题描述
I have registered an application in Azure AD (aad.portal.azure.com).
我已经在 Azure AD (aad.portal.azure.com) 中注册了一个应用程序。 I'd like to use this app registration for authentication using OpenIDConnect for several webapps with different hostnames.
我想使用此应用程序注册来使用 OpenIDConnect 对具有不同主机名的多个 web 应用程序进行身份验证。 I can configure several redirect URIs in the portal.我可以在门户中配置多个重定向 URI。
When I create a new project in Visual Studio 2019 and use the Add connected services wizard, it asks me to specify whether to create a new Azure AD application (this option is not allowed by our AAD administrators but I don't want to do it anyway), or to use settings from an existing AAD application.当我在 Visual Studio 2019 中创建新项目并使用添加连接的服务向导时,它要求我指定是否创建新的 Azure AD 应用程序(我们的 AAD 管理员不允许使用此选项,但我不想这样做无论如何),或使用现有 AAD 应用程序中的设置。
The problem is that whatever Redirect URI I specify here, when I save the connected service configuration, visual studio writes that Redirect URI back to the AAD portal and removes any Redirect URIs I already specified there.问题是,无论我在此处指定什么重定向 URI,当我保存连接的服务配置时,Visual Studio 都会将该重定向 URI 写回 AAD 门户并删除我已经在此处指定的任何重定向 URI。
I don't want visual studio to do this.我不希望视觉工作室这样做。 Is there any way to suppress this overwrite behavior, maybe a setting in visual studio?有没有办法抑制这种覆盖行为,也许是视觉工作室中的设置? Otherwise every time I create a new Visual studio solution and run the wizard, I'll need to recreate all of the URIs that were there previously.否则,每次创建新的 Visual Studio 解决方案并运行向导时,我都需要重新创建以前存在的所有 URI。
If it makes a difference, the project type is .net5 current mvc.如果有区别,项目类型是 .net5 current mvc。
Thanks.谢谢。
1 个解决方案
解决方案1
1 已采纳 2021-03-04 02:35:57
I didn't find an official document about this behavior but it does exist.我没有找到关于这种行为的官方文件,但它确实存在。
First of all what we need to know is that, although we can use one app registration for multiple applications/projects, it's not recommended to do so.首先我们需要知道的是,虽然我们可以为多个应用程序/项目使用一个应用程序注册,但不建议这样做。 Because according to the principle of least privilege, we should give different permissions to different applications instead of giving all permissions to all applications.因为按照最小权限的原则,我们应该给不同的应用不同的权限,而不是把所有的权限都给所有的应用。
Visual Studio Add Connected Service feature should follow this principle by default: one app registration is applied to one application. Visual Studio Add Connected Service 功能默认应遵循此原则:一个应用程序注册应用到一个应用程序。 So it removes other redirect url and put the one you specified into App registration.因此它会删除其他重定向 url 并将您指定的重定向放入 App 注册中。
There is a workaround to set the redirect url, which only requires you to do a small manual operation.有一个变通方法来设置重定向url,只需要你做一个小的手动操作。
Leave the Redirect URL as empty when adding Connected Service.添加连接服务时,将重定向 URL保留为空。 It will use the project's SSL URL (eg. https://localhost:44372/signin-oidc ) as the redirect url in your project and won't remove the direct urls in app registration. It will use the project's SSL URL (eg. https://localhost:44372/signin-oidc ) as the redirect url in your project and won't remove the direct urls in app registration.
Then open Add Connected Service again and modify the Redirect URL as what you want, for example: https://localhost:47800/signin-oidc .然后再次打开Add Connected Service并将Redirect URL修改为您想要的,例如: https://localhost:47800/signin-oidc 。 After that, don't forget to add https://localhost:47800/signin-oidc into app registration manually.之后,不要忘记手动将https://localhost:47800/signin-oidc到应用注册中。
It will save more much time than recreating all of the URIs that were there previously.与重新创建以前存在的所有 URI 相比,它将节省更多时间。
UPDATE:更新:
Try to do the change directly in launchUrl under launchUrlSettings.json file.尝试直接在launchUrl文件下的launchUrlSettings.json中进行更改。 And please note the real direct url is this launchUrl + CallbackPath (under appsettings.json file).并且请注意真正的直接url是这个launchUrl + CallbackPath (在appsettings.json文件下)。 So you need to modify CallbackPath as well.因此,您还需要修改CallbackPath 。 This won't update the portal.这不会更新门户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.