[英]Azure AD Restricts entire ASP.NET Core API
Creating a WASS Blazor ASP.net Core hosted .NET 6 Application secured with Azure AD.创建一个 WASS Blazor ASP.net 核心托管 .NET 6 应用程序,使用 Z3A580F142203677F1F530BC30898ZF6 保护。 I followed this guide: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-6.0我遵循了本指南: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-6.0
I only want to restrict access to a few endpoints in my controller.我只想限制对 controller 中几个端点的访问。 I have tried adding and removing the following annotations from my controller:我尝试在 controller 中添加和删除以下注释:
//[Authorize]
[Route("api/wikipages")]
[ApiController]
//[RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
[AllowAnonymous]
public class WikiPageController : ControllerBase
{
Even when I go into the Program.cs
class and comment the app.UseAuthentication();
即使我 go 进入Program.cs
class 并评论app.UseAuthentication();
and app.UseAuthorization();
和app.UseAuthorization();
, I still get the following error when trying to access the API without logging in: , 在不登录的情况下尝试访问 API 时仍然出现以下错误:
Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100] Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
Unhandled exception rendering component: ''未处理的异常渲染组件:''
Microsoft.AspNetCore.Components.WebAssembly.Authentication.AccessTokenNotAvailableException: '' Microsoft.AspNetCore.Components.WebAssembly.Authentication.AccessTokenNotAvailableException:''
at Microsoft.AspNetCore.Components.WebAssembly.Authentication.AuthorizationMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)在 Microsoft.AspNetCore.Components.WebAssembly.Authentication.AuthorizationMessageHandler.SendAsync(HttpRequestMessage 请求,CancellationToken cancelToken)
at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)在 Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage 请求,CancellationToken cancelToken)
at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)..............在 System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage 请求,HttpCompletionOption 完成选项,CancellationTokenSource cts,Boolean disposeCts,CancellationTokenSource pendingRequestsCts,CancellationToken originalCancellation)
This issue has three solutions, you can read this article, it useful to you.这个问题有三个解决方案,你可以阅读这篇文章,它对你有用。
Related Blog:相关博客:
How to send HTTP requests to public API without access token on an authentication enabled Blazor Wasm App? 在启用身份验证的 Blazor Wasm App 上,如何在没有访问令牌的情况下将 HTTP 请求发送到公共 API?
You need add HttpClient
like below.您需要添加HttpClient
如下所示。
public static async Task Main(string[] args)
{
// Add a plain "HttpClient" with a name.
builder.Services.AddHttpClient("BlazorWasmApp.AnonymousAPI", client => {
client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress);
builder.Services.AddHttpClient("BlazorWasmApp.ServerAPI", ...)
.AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
...
});
And in your page, you can invoke like below.在您的页面中,您可以像下面这样调用。
@* @inject HttpClient Http *@
@inject IHttpClientFactory HttpClientFactory
...
@code {
protected override async Task OnInitializedAsync()
{
...
// Don't get a HttpClient from DI directly for accessing a public API.
// RecentlyUpdates = await Http.GetFromJsonAsync<string[]>("RecentlyUpdates");
// Instead, get a HttpCient from IHttpClientFactory service with name explicitly.
var http = HttpClientFactory.CreateClient("BlazorWasmApp.AnonymousAPI");
RecentlyUpdates = await http.GetFromJsonAsync<string[]>("RecentlyUpdates");
}
Azure AD does not support anonymous auth for you to be able to use the AllowAnonymous attribute in your WebAPI. Azure AD 不支持匿名身份验证,以便您能够在 WebAPI 中使用 AllowAnonymous 属性。 Reference: Azure AD allow anonymous参考: Azure AD允许匿名
If you want to allow the anonymous request, you can implement the authentication using OWIN component instead of using the Easy Auth.如果要允许匿名请求,可以使用 OWIN 组件实现身份验证,而不是使用 Easy Auth。
Here is an example protect the MVC with OpenId component:下面是一个使用 OpenId 组件保护 MVC 的示例:
active-directory-dotnet-webapp-openidconnect 活动目录-dotnet-webapp-openidconnect
For more details refer this SO Thread:有关更多详细信息,请参阅此 SO 线程:
1) AllowAnonymous is not working with azure ad authentication 1) AllowAnonymous 不适用于 azure 广告身份验证
2) How to allow unauthenticated requests to a controller when rest of site is using Azure AD Authentication 2) 当站点的 rest 使用 Azure AD 身份验证时,如何允许对 controller 的未经身份验证的请求
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.