stackoom
  简体   繁体   中英

Azure AD authentication between applications

 原文  2016-09-24 05:05:03       asp.net/ asp.net-mvc/ azure/ active-directory/ azure-active-directory

Question

I have an application let's name it 'Apple' which is registered with Azure AD having delegated rights on Azure Management API application. When requested to this application it creates azure resource ex. storage account automatically and this works fine.

I have another application which is MVC application and it's also registered with same AD tenant. The second application uses following code for retrieving access token: 

 var clientCredentials = new ClientCredential(ConfigurationManager.AppSettings["AD_ClientID"], ConfigurationManager.AppSettings["AD_Client_AccessKey"]);
 var authContext = new AuthenticationContext(string.Format(ConfigurationManager.AppSettings["AD_Tenant_Login_Url"], ConfigurationManager.AppSettings["AD_Tenant_Id"]));            
 var result = authContext.AcquireTokenAsync(ConfigurationManager.AppSettings["AD_Resource"], clientCredentials);
 if (result == null)
 {
     throw new InvalidOperationException("Could not get the token");
 }
 return result.Result;

The result is an access token having different properties. Now second application, retrives access token with access to resource apple, which it then passes to Apple application in authorization header. 

Authorization:bearer TokenString

The Apple application is having Authorize attribute added to controller. The application is configured with Owin with oauth application with following code 

public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                TokenValidationParameters = new TokenValidationParameters
                {

                    ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
                },
            });
    }

Please note that the access token is retrieved from second application using its own AppId and Secret key; whereas the other(Apple) application uses its own AppId and secret key for validating the token.

So my problem is, the APPLE application always returns 401 not authorize code

1 answers

solution1
 0 ACCPTED  2016-10-20 07:01:54

To above, question, the answer was, Resource ID (during token request) and Audience Id (during validation of token in second application) were not matching. Keeping those same solved the problem.

Then I ran into another issue, which I have described here

It seems, If I work with newer Azure Portal (which is still in preview version), the AD token does not include "Roles" field in JWT token. If I follow same procedure in Older Portal for configuring apps, then AD includes "Roles" field in JWT token and scenario executes as expected.

I should avoid using Azure new portal for preview features at least!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure AD Integrated Authentication Shared Authentication between applications Forms authentication between applications Custom authorization with Azure AD authentication WebForms authentication against Azure AD Alexa skill and Azure AD authentication Azure AD Authentication alongwith Passport Authentication Azure API APP authentication using Azure AD Centralize Authentication Code Between Applications Azure AD Authentication: Redirect to originating page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM