[英]c# .NET 6.0 API using Azure AD token (called from Blazor server side) returns 401 unautorized
我有一个 Blazor 服务器应用程序,它使用 Azure AD 登录。 这工作正常,但是当在我的 API controller 上设置 [Authorize] 时,controller 返回 401 未授权事件,尽管 Bearer 令牌已传递。
我可以看到令牌在 API 中传递,所以我有点卡住了。 配置问题或某些代码错误? 任何帮助,将不胜感激。
Blazor 项目的 Azure 配置:
Azure Blazor 设置(服务器端项目):
Blazor 的授权设置: Blazor 的授权设置
为 Blazor 添加的秘密:为 Blazor 添加的秘密
Api Blazor 权限: Api Blazor 权限
API 项目的 Azure 配置:
Azure 设置为 API: Azure 设置为 API
API 的身份验证设置: API 的身份验证设置
API permissions for API (probably tooman, found a guide that suggested adding more): API permissions for API (probably tooman, found a guide that suggested adding more)
Exposed an API for API (type-o in admin.accsess): Exposed an API for API (type-o in admin.accsess)
blazor项目代码:
appsettings.json(一旦这个工作,新的秘密将被制作并移动到 keyvault):`
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "3c 8c",
"TenantId": "eb a0",
"Scopes": "api://3c 8c/admin.accsess"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
`
Startup.cs`
public void ConfigureServices(IServiceCollection services)
{
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["AzureAd.Scopes"] })
.AddInMemoryTokenCaches();
services.AddHttpContextAccessor();
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy
options.FallbackPolicy = options.DefaultPolicy;
});
services.AddRazorPages();
services.AddServerSideBlazor()
.AddMicrosoftIdentityConsentHandler();
[...]
}
`
`
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
endpoints.MapBlazorHub();
endpoints.MapFallbackToPage("/_Host");
});
}
`
测试 controller 以尝试调用 api(始终从 api 获得 401):`
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Diagnostics;
using Microsoft.Identity.Web;
using Newtonsoft.Json.Linq;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Threading.Tasks;
namespace S********.Controllers
{
[Authorize]
public class TenantController : Controller
{
private readonly IHttpClientFactory _clientFactory;
private readonly ITokenAcquisition _tokenAcquisitionService;
private HttpClient _client;
public TenantController(IHttpClientFactory clientFactory, ITokenAcquisition tokenAcquisitionService)
{
_clientFactory = clientFactory;
_tokenAcquisitionService = tokenAcquisitionService;
}
public IActionResult Index()
{
return View();
}
public async Task<IActionResult> GetStuff()
{
string[] scopes = { "api://3c*******************c8c/admin.accsess" };
string accessToken = await _tokenAcquisitionService.GetAccessTokenForUserAsync(scopes);
_client = _clientFactory.CreateClient();
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var response = await _client.GetAsync("https://localhost:44394/api/SystemConfig/GetByName/System.Tenants");
return Ok(response);
}
}
}
`
API项目代码:
应用设置.json:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "custodisas.onmicrosoft.com",
"TenantId": "eb a0",
"ClientId": "7d de",
"ClientSecret": "G 5",
"CallbackPath": "/auth-response"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
启动.cs:
`
public void ConfigureServices(IServiceCollection services)
{
var NlogSetup = new SetupLogger();
NLogConfig = NlogSetup.SetUpLogger("C://Logtest//Skynet//SiloApi.txt").Result;
LogManager.Configuration = NLogConfig;
Logger = LogManager.GetLogger("SkynetAPI");
Logger.Info("Logger up and running");
services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
// Have tried both with and without scope as required claim
var scopePolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
//.RequireClaim("scope", "api://3c7*****************c8c/admin.accsess")
.Build();
// Have tried both with and without adding scopepolicy as filter
services.AddMvc(options =>
{
//options.Filters.Add(new AuthorizeFilter(scopePolicy));
options.EnableEndpointRouting = false;
});
[...other services...]
services.AddControllers();
[...other services...]
}
`
`
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
app.UseMvc(routes =>
{
routes.MapRoute(name: "default", template: "api/{controller}/{action}/{id?}");
});
}
`
Controller 被调用(删除 [Authorize] 时返回正确的信息):`
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Identity.Web.Resource;
using Newtonsoft.Json;
using NLog;
using Orleans;
using *****.Grains.Interfaces;
using *****.Grains.Interfaces.Core.ApplicationScheduler;
using *****.Shared.Core;
using *****.Shared.Core.ApplicationScheduler;
using *****.Shared.Core.GrainStates;
using *****.Shared.Core.RunApplication;
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using Microsoft.Identity.Web;
using Microsoft.AspNetCore.Cors;
using System.IdentityModel.Tokens.Jwt;
namespace *****.API.Controllers
{
[Authorize]
[Route("api/[controller]")]
[ApiController]
public class SystemConfigController : MasterController
{
public SystemConfigController(Logger logger, IClusterClient clusterClient) : base(logger, clusterClient)
{
}
[HttpGet]
[Route("GetByName/{configGrainName}")]
public async Task<ActionResult<string>> GetSystemConfigByName(string configGrainName)
{
// Tried adding this code to get the token, it is passed and I can see it when removing [Authorize]
var re = Request;
var headers = re.Headers;
var tokenString = headers["Authorization"];
Logger.Info("Token: \n\n" + tokenString + "\n\n");
var tmpGrain = clusterClient.GetGrain<I*****>(0);
return JsonConvert.SerializeObject(await tmpGrain.GetSystemGrainByName(configGrainName));
}
}
}
`
主控制器:`
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using NLog;
using Orleans;
namespace *****.API.Controllers
{
[Route("api/[controller]")]
[ApiController]
public class MasterController : ControllerBase
{
// TODO: Get from config.
public Guid SystemID { get; set; } = Guid.Parse("a9****************71c");
public Logger Logger;
public IClusterClient clusterClient;
public MasterController(Logger logger, IClusterClient client)
{
Logger = logger;
clusterClient = client;
}
}
}
`
希望这是足够的信息。 我完全被卡住了,所以任何帮助将不胜感激。 谢谢:)
我试图在我的环境中重现。
给定 API 权限,向 API 申请并授予管理员同意您的申请。
api://43xxxxxxx6b3edf/admin.access和api://438xxxxx-a788-xxxx/user.access公开了一个 API 部分,因此它们都必须在代码中给出。
***对于 client_credentials scope 访问您的 api 必须是 api://<client_id>/.default
给上面的scope后我就可以成功拿到token了。***
从C#调用Yelp Fusion API v3会返回401未经授权,并出现TOKEN_MISSING错误
[英]Yelp Fusion API v3 returns 401 Unauthorized with TOKEN_MISSING error when called from c#
Azure AD - 在 C# Web API 中使用来自 Angular SPA 的图 API 访问令牌
[英]Azure AD - Using Graph API access token from Angular SPA in C# Web API
使用 Azure AD 验证返回 401
[英]Sending a GET request to an ASP.NET Core Web Application API using Azure AD Authentication returns 401
如何在 C# ASP.NET Core 6.0 中从 Azure AD 检索用户拥有的所有组?
[英]How to retrieve all the groups that a user has from Azure AD in C# ASP.NET Core 6.0?
Blazor 服务器端和 Azure B2C 使用邀请登录,如何使用返回的令牌进行身份验证?
[英]Blazor Server Side and Azure B2C Login using invite, how to authenticate with returned token?
无法使用 Blazor 服务器应用程序调用安全下游 Web API 使用 Azure AD B2C
[英]Cannot get a Blazor Server App to call a secure downstream Web API using Azure AD B2C
如何将Daemon或Server的Azure AD OAuth2访问令牌和刷新令牌转换为C#ASP.NET Web API
[英]How do I get Azure AD OAuth2 Access Token and Refresh token for Daemon or Server to C# ASP.NET Web API
Web API (.NET Framework) Azure AD 身份验证始终返回 401 Unauthorized
[英]Web API (.NET Framework) Azure AD Authentication always returns 401 Unauthorized
将 blob 从一个 Azure 容器复制到另一个使用 ASP.NET Core 6.0 MVC 和 C#
[英]Copy blobs from one Azure container to another using ASP.NET Core 6.0 MVC with C#
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.