.Net core 2.0 and Multiple Authentication schemes
Question
We have an existing ASP.NET Core 2.0 Web App hosted in Azure PaaS (AppService). We are successfully using OpenID Connect to authenticate our enterprise users with Azure AD.
Now we want to have several on-premise, headless .NET batch jobs which use Application Authentication to call various services/URLs in the App.
We added an application role to the manifest in our Azure tenant, had one of our client applications require that permission in the Azure Portal, and granted the permission. We are only using a single tenant.
We are looking for guidance on what needs to be modified to add support for authentication of the headless batch client apps using application client id + secret.
Questions I have for the .AddOpenIdConnect are: does an Audience need to be specified? Does the ResponseType need to be set to something different?
From appsettings.json:
"Authentication": {
"AzureAd": {
"AADInstance": "https://login.microsoftonline.com/",
"CallbackPath": "/signin-oidc",
"ClientId": "c2141xxx-xxxx-xxxx-xxxx-xxxxxx76fd75",
"Domain": "xxxxxxxxx.onmicrosoft.com",
"TenantId": "311cxxxx-xxxx-xxxx-xxxx-xxxxxx8f8604",
"ClientSecret": "************************",
"Instance": "https://login.microsoftonline.com/"
}
}
From startup.cs:
services.AddAuthentication(
options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.ClientId = Configuration["Authentication:AzureAd:ClientId"];
options.ClientSecret = Configuration["Authentication:AzureAd:ClientSecret"];
options.Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"];
options.CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"];
options.ResponseType = OpenIdConnectResponseType.IdToken;
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = "roles"
};
options.Events = new OpenIdConnectEvents()
{
OnRemoteFailure = OnAuthenticationFailed,
OnRedirectToIdentityProvider = OnRedirectToIdentityProvider,
};
});
On the client application side, we are using the latest ADAL NuGet package to get the bearer token for the app's client app id + secret, and including the bearer token in the authorization header of the HTTP request to the App. The correct role and target audience are listed in the token.
From what I can tell, everything is correct on the client side and configured properly in Azure. The problem appears to be in the code and/or configuration of the ASP.NET Core 2.0 service app.
1 answers
solution1
0 2018-09-18 22:07:00
for headless clients, I suggest JwtBearer. You can use default microsoft configuration adding all configs that you can find when you add a net core web api using different authentication options (Work or school account if you are using Azure Ad or Office365)
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => _configuration.Bind("AzureAd", options));
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.