How to challenge Windows Azure Active Directory authentication?
Question
We have a SPA with angularjs 1.6 and asp.net web API. We use Microsoft Account Authentication in OWIN middleware.
In Startup.Auth.cs
MicrosoftAccountAuthenticationOptions microsoftAccountAuthenticationOptions = new MicrosoftAccountAuthenticationOptions()
{
Caption = "Connection with your Microsoft account",
ClientId = microsoftAccountAuthenticationConfigurationElement.ClientId,
ClientSecret = microsoftAccountAuthenticationConfigurationElement.ClientSecret,
};
app.UseMicrosoftAccountAuthentication(microsoftAccountAuthenticationOptions);
Our controller method to challenge the authentication
[Route("ExternalLogin")]
[HttpPost]
[AllowAnonymous]
public IHttpActionResult ExternalLogin(string authenticationType, string returnUrl)
{
return new ChallengeResult(new List<AuthenticationHeaderValue>(), this)
{
RedirectUri = this.Url.Route("ExternalLoginCallback", new { returnUrl }),
AuthenticationType = authenticationType
};
}
And the ChallengeResult class
internal class ChallengeResult : UnauthorizedResult
{
public ChallengeResult(IEnumerable<AuthenticationHeaderValue> challenges, ApiController controller):base(challenges, controller)
{ }
public string AuthenticationType { get; set; }
public string RedirectUri { get; set; }
public override Task<HttpResponseMessage> ExecuteAsync(CancellationToken cancellationToken)
{
HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = this.RedirectUri }, this.AuthenticationType);
return base.ExecuteAsync(cancellationToken);
}
}
This works perfectly.
Now we want add an Office365 authentication. So we use Windows Azure Active Directory authentication:
WindowsAzureActiveDirectoryBearerAuthenticationOptions windowsAzureActiveDirectoryBearerAuthenticationOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions()
{
Tenant = windowsAzureActiveDirectoryAuthenticationConfigurationElement.Tenant,
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = windowsAzureActiveDirectoryAuthenticationConfigurationElement.Audience
}
};
app.UseWindowsAzureActiveDirectoryBearerAuthentication(windowsAzureActiveDirectoryBearerAuthenticationOptions);
And we reuse ExternalLogin api to challenge the authentication. In this case the client receive a unauthorized result 401 instead of the redirect 302.
My question : Why the authentication challenge doesn't tranform the unauthorized result in redirect result on https://login.microsoftonline.com/ ?
Note : If use ADAl.js on client side to challenge the authentication then the redirection works. But I don't wish use the adal.js library
1 answers
solution1
1 ACCPTED 2018-04-20 07:58:03
In the case of a SPA + API, the API should do Bearer token authentication as you have configured now.
But the authentication redirect should start from the SPA using ADAL.JS etc. An API should not do 302 redirects for authentication. If the caller is a program running on a server, what are they supposed to do? That's why it returns a 401, because authentication failed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.