stackoom
  简体   繁体   中英

OAuth bearer token authentication authorisation code

 原文  2017-08-29 21:49:25       c#/ asp.net/ oauth/ azure-active-directory/ adal

Question

Currently our ASP.NET MVC system is secured using OpenIdConnect and cookie authentication. We've enabled an oauth authentication flow using azure active directory. 

    public void ConfigureAuthOpenIdConnect(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        var cookieAuthenticationOptions = new CookieAuthenticationOptions()
        {
           //...
        };

        app.UseCookieAuthentication(cookieAuthenticationOptions);

        var notifications = new OAOpenIdConnectAuthenticationNotifications();
        var openIdConnectAuthenticationOptions = new OpenIdConnectAuthenticationOptions()
        {
            //...
            Notifications = notifications
        };

        app.UseOpenIdConnectAuthentication(openIdConnectAuthenticationOptions);

        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
           new WindowsAzureActiveDirectoryBearerAuthenticationOptions
           {
               Tenant = ConfigHelper.ClientSettings.TenantName,
               TokenValidationParameters = new TokenValidationParameters
               {
                   ValidAudience = ConfigHelper.ClientSettings.ClientId
               }
           });
    }

Now when we authenticate via OpenIdConnect, we retrieve the authorization code using a custom Notifications on the OpenIdConnectAuthenticationOptions options, this enables us to request and cache resource tokens using ADAL.

The problem occurs when one tries to access our system using an azure AD bearer token, this workflow of getting and caching resource tokens is not present.

So my question is, how can I enable this using the bearer token? How can I request additional resource tokens like we are doing using OpenIdConnect? Is it possible to get an authorization code from a bearer token using ADAL?

1 answers

solution1
 3 ACCPTED  2017-08-30 03:22:34

As you mentioned, you are using OpenID Connect ASP.NET middleware and ADAL .NET to use Azure AD for sign-in, then calls a web API under the signed-in user's identity in OnAuthorizationCodeReceived OpenID Connect notification.

In this scenario, you could use authorization code to exchange it for an access token for a specific resource.

On the other hand, when a client application accesses your system using an azure AD bearer token, there is no authorization code. In this scenario, if you want to use that access token to exchange it to another resource's access token, such as Microsoft Graph, you could use OAuth 2.0 On-Behalf-Of flow . The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API.

For more information about how the protocols work in this scenario, see Authentication Scenarios for Azure AD and On-Behalf-Of flow tutorial . And of course you can use ADAL.NET to perform the On-Behalf-Of flow, see this code sample .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question OAuth Bearer token Authentication is not passing signature validation Azure Functions root URL authentication with bearer token/OAuth2 OAuth bearer token not working Signalr Bearer token authentication OWIN Bearer Token Authentication OAuth Bearer Token Not Working for WebApi Authentication Swagger with JWT Bearer token SignalR authentication with webAPI Bearer Token How to get an OAuth 2.0 authentication bearer token in C# for Google AutoML? OAuth Bearer token implementation using C#
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM