AcquireTokenByAuthorizationCode 在使用 ASP.NET MVC 使用 Azure Active Directory 的单租户应用程序中引发新异常
[英]AcquireTokenByAuthorizationCode throw new exception in single tenant application using ASP.NET MVC using Azure Active Directory
问题描述
我尝试了本教程,因为我想使用 Microsoft Graph API 在 Microsoft Teams 中创建庞大的团队。 与本教程的唯一区别是我在 Azure AD 管理中心的 Authentication 部分使用了下一个选项:
"Accounts in this organizational directory only (myuniversity only - Single tenant)"
因此,我更改了代码以将端点用于单租户
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = appId,
//Authority = "https://login.microsoftonline.com/common/v2.0",//
Authority = "https://login.microsoftonline.com/{tenantid}/v2.0",
Scope = $"openid email profile offline_access {graphScopes}",
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
{
// For demo purposes only, see below
ValidateIssuer = false
// In a real multi-tenant app, you would add logic to determine whether the
// issuer was from an authorized tenant
//ValidateIssuer = true,
//IssuerValidator = (issuer, token, tvp) =>
//{
// if (MyCustomTenantValidation(issuer))
// {
// return issuer;
// }
// else
// {
// throw new SecurityTokenInvalidIssuerException("Invalid issuer");
// }
//}
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailedAsync,
AuthorizationCodeReceived = OnAuthorizationCodeReceivedAsync
}
}
);
}
在对用户进行身份验证后,我运行到OnAuthorizationCodeReceivedAsync方法的代码,但在AcquireTokenByAuthorizationCode方法中出现异常
这是方法
private async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedNotification notification)
{
var idClient = ConfidentialClientApplicationBuilder.Create(appId)
.WithRedirectUri(redirectUri)
.WithClientSecret(appSecret)
.Build();
var accounts = await idClient.GetAccountsAsync();
string message;
string debug;
try
{
string[] scopes = graphScopes.Split(' ');
var result = await idClient.AcquireTokenByAuthorizationCode(scopes, notification.Code).ExecuteAsync();
message = "Access token retrieved.";
debug = result.AccessToken;
}
catch (MsalException ex)
{
message = "AcquireTokenByAuthorizationCodeAsync threw an exception";
debug = ex.Message;
}
var queryString = $"message={message}&debug={debug}";
if (queryString.Length > 2048)
{
queryString = queryString.Substring(0, 2040) + "...";
}
notification.HandleResponse();
notification.Response.Redirect($"/Home/Error?{queryString}");
}
例外是:
AcquireTokenByAuthorizationCodeAsync 抛出异常
AADSTS50194:应用程序“应用程序 ID”(ASP.NET 图形教程)未配置为多租户应用程序。 在“2018 年 10 月 15 日”之后创建的此类应用程序不支持使用 /common 端点。 使用特定于租户的端点或将应用程序配置为多租户。 跟踪 ID:5f0fbf2e-5d63-40d4-a833-ca8627a02d00
相关 ID:3ec4ec7b-0c86-4e2b-a053-9823f977499d 时间戳:2021-02-16 20:21:03Z
我只想为我的组织使用单租户身份验证
1 个解决方案
解决方案1
0 已采纳 2021-02-25 02:09:47
如果您想通过 MSAL.NET 要求某个特定租户的 AD 令牌,您可以通过提及特定权限来告诉 SDK 从哪个租户获取令牌。 更多详情,请参阅此处。
例如
private static string appId = ConfigurationManager.AppSettings["ida:AppId"];
private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static string graphScopes = ConfigurationManager.AppSettings["ida:AppScopes"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = appId,
Authority = "https://login.microsoftonline.com/<your tenant id>/v2.0",
Scope = $"openid email profile offline_access {graphScopes}",
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
{
// For demo purposes only, see below
ValidateIssuer = false
// In a real multi-tenant app, you would add logic to determine whether the
// issuer was from an authorized tenant
//ValidateIssuer = true,
//IssuerValidator = (issuer, token, tvp) =>
//{
// if (MyCustomTenantValidation(issuer))
// {
// return issuer;
// }
// else
// {
// throw new SecurityTokenInvalidIssuerException("Invalid issuer");
// }
//}
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailedAsync,
AuthorizationCodeReceived = OnAuthorizationCodeReceivedAsync
}
}
);
}
private async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedNotification notification)
{
var idClient = ConfidentialClientApplicationBuilder.Create(appId)
.WithRedirectUri(redirectUri)
.WithClientSecret(appSecret)
.WithAuthority("https://login.microsoftonline.com/<your tenant id>")
.Build();
string message;
string debug;
try
{
string[] scopes = graphScopes.Split(' ');
var result = await idClient.AcquireTokenByAuthorizationCode(
scopes, notification.Code).ExecuteAsync();
message = "Access token retrieved.";
debug = result.AccessToken;
}
catch (MsalException ex)
{
message = "AcquireTokenByAuthorizationCodeAsync threw an exception";
debug = ex.Message;
}
var queryString = $"message={message}&debug={debug}";
if (queryString.Length > 2048)
{
queryString = queryString.Substring(0, 2040) + "...";
}
notification.HandleResponse();
notification.Response.Redirect($"/Home/Error?{queryString}");
}
private Task OnAuthenticationFailedAsync(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
notification.HandleResponse();
string redirect = $"/Home/Error?message={notification.Exception.Message}";
if (notification.ProtocolMessage != null && !string.IsNullOrEmpty(notification.ProtocolMessage.ErrorDescription))
{
redirect += $"&debug={notification.ProtocolMessage.ErrorDescription}";
}
notification.Response.Redirect(redirect);
return Task.FromResult(0);
}
解决方案2
0 2022-01-28 21:57:11
更改后我得到“'authority'应该是URI格式。Parameternamn:authority”
Azure 使用 .net 核心 3.1 中的 azure 活动目录(单租户)的广告身份验证和授权?
[英]Azure Ad authentication and authorization using azure active directory (single tenant) in .net core 3.1?
无法使用GraphServiceClient更新Azure Active Directory B2C用户 - ASP.NET MVC
[英]Can't update Azure Active Directory B2C user using GraphServiceClient - ASP.NET MVC
Azure Active Directory 不会使用 ASP.NET Core 2.1 MVC 注销
[英]Azure Active Directory won't logout using ASP.NET Core 2.1 MVC
Asp.net Identity使用密码和Azure Active Directory身份验证
[英]Asp.net Identity using password and Azure Active Directory authentication
使用ASP.NET MVC 3和C#的Active Directory身份验证
[英]Active Directory authentication using ASP.NET MVC 3 and c#
使用Angular.JS Active Directory身份验证的ASP.NET MVC4应用程序
[英]ASP.NET MVC4 application using Angular.JS Active Directory Authentication
在ASP.NET MVC中使用客户端证书进行Active Directory身份验证
[英]Active Directory Authentication using Client Certificate in ASP.NET MVC
使用Owin中间件进行Active Directory身份验证的ASP.Net MVC
[英]ASP.Net MVC with Active Directory Authentication using Owin Middleware
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
带有ASP.NET MVC的Azure活动目录
Azure 使用 .net 核心 3.1 中的 azure 活动目录(单租户)的广告身份验证和授权?
无法使用GraphServiceClient更新Azure Active Directory B2C用户 - ASP.NET MVC
Azure Active Directory 不会使用 ASP.NET Core 2.1 MVC 注销
Asp.net Identity使用密码和Azure Active Directory身份验证
在 asp.net MVC 中使用活动目录进行身份验证
使用ASP.NET MVC 3和C#的Active Directory身份验证
使用Angular.JS Active Directory身份验证的ASP.NET MVC4应用程序
在ASP.NET MVC中使用客户端证书进行Active Directory身份验证
使用Owin中间件进行Active Directory身份验证的ASP.Net MVC
相关标签