[英]dotnet Web API - MSAL ( Microsoft.Identity.Web ) register multiple authentication providers
I am developing a Web API and using the Microsoft.Identity.Web libraries for securing the APIs.我正在开发 Web API 并使用 Microsoft.Identity.Web 库来保护 API。
I have a scenario where different APIs / Controllers need to accept tokens issued by different Azure AD App Registrations我有一个场景,不同的 API/控制器需要接受由不同的 Azure AD 应用程序注册颁发的令牌
At the moment, I have something like this:目前,我有这样的事情:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api1"));
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.Build();
});
...
//Controller1
[Authorize]
[ApiController]
public class Controller1 : ControllerBase
{...}
In the example Above, I use Api1
Configuration section to provide a ClientID
/ Tenant
/ Audience
values for my Azure AD App registration.在上面的示例中,我使用Api1
配置部分为我的 Azure AD 应用程序注册提供ClientID
/ Tenant
/ Audience
值。
I would like to be able to add another Authorization "rule" (?) in a way that I can configure Controller2 to accept tokens from a second App Registration:我希望能够添加另一个授权“规则”(?),以便我可以将 Controller2 配置为接受来自第二个应用程序注册的令牌:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api1"));
services.AddMicrosoftIdentityWebApiAuthentication(Configuration.GetSection("Api2")); //this probably won't work as it will clobber the services instance?
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.Build();
});
...
//Controller1
[Authorize] --- With Api1 settings?
[ApiController]
public class Controller1 : ControllerBase
{...}
//Controller2
[Authorize] --- With Api2 settings?
[ApiController]
public class Controller2 : ControllerBase
{...}
The requirements of why I need to use 2 different app registrations are outside of my scope and cannot change.为什么我需要使用 2 个不同的应用程序注册的要求在我的 scope 之外,无法更改。
Currently, I solved this by creating 2 Web API projects / apps but it's come to a point where I really like to consolidate these if possible.目前,我通过创建 2 Web API 项目/应用程序解决了这个问题,但如果可能的话,我真的很想整合这些。
So, you can indeed register multiple Authentication profiles and you use the jwtBearerScheme
as the differentiator when you want to validate against one or another.因此,您确实可以注册多个身份验证配置文件,并且当您想要针对一个或另一个进行验证时,您可以使用jwtBearerScheme
作为区分器。
For Authentication, you can define different authentication requirements for each of the schemes as follows:对于身份验证,您可以为每个方案定义不同的身份验证要求,如下所示:
services.AddMicrosoftIdentityWebApiAuthentication(
Configuration.GetSection("Api1"),
jwtBearerScheme: "Api1Scheme"
);
services.AddMicrosoftIdentityWebApiAuthentication(
Configuration.GetSection("Api2"),
jwtBearerScheme: "Api2Scheme"
);
services.AddAuthorization(options =>
{
options.AddPolicy("Api2Policy", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Api2Scheme")
.RequireRole("SomeRole")
.Build());
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Api1Scheme")
.Build();
});
...
//Controller1
[Authorize] //Because ApiScheme1 is registered as the Default Authorization, no disambiguation needed here
[ApiController]
public class Controller1 : ControllerBase
{...}
//Controller2
[Authorize(AuthenticationSchemes = "Api2Scheme", Policy = "Api2Policy")]
[ApiController]
public class Controller2 : ControllerBase
{...}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.