AcquireTokenByAuthorizationCode 在使用 ASP.NET MVC 使用 Azure Active Directory 的單租戶應用程序中引發新異常
[英]AcquireTokenByAuthorizationCode throw new exception in single tenant application using ASP.NET MVC using Azure Active Directory
問題描述
我嘗試了本教程,因為我想使用 Microsoft Graph API 在 Microsoft Teams 中創建龐大的團隊。 與本教程的唯一區別是我在 Azure AD 管理中心的 Authentication 部分使用了下一個選項:
"Accounts in this organizational directory only (myuniversity only - Single tenant)"
因此,我更改了代碼以將端點用於單租戶
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = appId,
//Authority = "https://login.microsoftonline.com/common/v2.0",//
Authority = "https://login.microsoftonline.com/{tenantid}/v2.0",
Scope = $"openid email profile offline_access {graphScopes}",
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
{
// For demo purposes only, see below
ValidateIssuer = false
// In a real multi-tenant app, you would add logic to determine whether the
// issuer was from an authorized tenant
//ValidateIssuer = true,
//IssuerValidator = (issuer, token, tvp) =>
//{
// if (MyCustomTenantValidation(issuer))
// {
// return issuer;
// }
// else
// {
// throw new SecurityTokenInvalidIssuerException("Invalid issuer");
// }
//}
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailedAsync,
AuthorizationCodeReceived = OnAuthorizationCodeReceivedAsync
}
}
);
}
在對用戶進行身份驗證后,我運行到OnAuthorizationCodeReceivedAsync方法的代碼,但在AcquireTokenByAuthorizationCode方法中出現異常
這是方法
private async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedNotification notification)
{
var idClient = ConfidentialClientApplicationBuilder.Create(appId)
.WithRedirectUri(redirectUri)
.WithClientSecret(appSecret)
.Build();
var accounts = await idClient.GetAccountsAsync();
string message;
string debug;
try
{
string[] scopes = graphScopes.Split(' ');
var result = await idClient.AcquireTokenByAuthorizationCode(scopes, notification.Code).ExecuteAsync();
message = "Access token retrieved.";
debug = result.AccessToken;
}
catch (MsalException ex)
{
message = "AcquireTokenByAuthorizationCodeAsync threw an exception";
debug = ex.Message;
}
var queryString = $"message={message}&debug={debug}";
if (queryString.Length > 2048)
{
queryString = queryString.Substring(0, 2040) + "...";
}
notification.HandleResponse();
notification.Response.Redirect($"/Home/Error?{queryString}");
}
例外是:
AcquireTokenByAuthorizationCodeAsync 拋出異常
AADSTS50194:應用程序“應用程序 ID”(ASP.NET 圖形教程)未配置為多租戶應用程序。 在“2018 年 10 月 15 日”之后創建的此類應用程序不支持使用 /common 端點。 使用特定於租戶的端點或將應用程序配置為多租戶。 跟蹤 ID:5f0fbf2e-5d63-40d4-a833-ca8627a02d00
相關 ID:3ec4ec7b-0c86-4e2b-a053-9823f977499d 時間戳:2021-02-16 20:21:03Z
我只想為我的組織使用單租戶身份驗證
1 個解決方案
解決方案1
0 已采納 2021-02-25 02:09:47
如果您想通過 MSAL.NET 要求某個特定租戶的 AD 令牌,您可以通過提及特定權限來告訴 SDK 從哪個租戶獲取令牌。 更多詳情,請參閱此處。
例如
private static string appId = ConfigurationManager.AppSettings["ida:AppId"];
private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static string graphScopes = ConfigurationManager.AppSettings["ida:AppScopes"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = appId,
Authority = "https://login.microsoftonline.com/<your tenant id>/v2.0",
Scope = $"openid email profile offline_access {graphScopes}",
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
{
// For demo purposes only, see below
ValidateIssuer = false
// In a real multi-tenant app, you would add logic to determine whether the
// issuer was from an authorized tenant
//ValidateIssuer = true,
//IssuerValidator = (issuer, token, tvp) =>
//{
// if (MyCustomTenantValidation(issuer))
// {
// return issuer;
// }
// else
// {
// throw new SecurityTokenInvalidIssuerException("Invalid issuer");
// }
//}
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailedAsync,
AuthorizationCodeReceived = OnAuthorizationCodeReceivedAsync
}
}
);
}
private async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedNotification notification)
{
var idClient = ConfidentialClientApplicationBuilder.Create(appId)
.WithRedirectUri(redirectUri)
.WithClientSecret(appSecret)
.WithAuthority("https://login.microsoftonline.com/<your tenant id>")
.Build();
string message;
string debug;
try
{
string[] scopes = graphScopes.Split(' ');
var result = await idClient.AcquireTokenByAuthorizationCode(
scopes, notification.Code).ExecuteAsync();
message = "Access token retrieved.";
debug = result.AccessToken;
}
catch (MsalException ex)
{
message = "AcquireTokenByAuthorizationCodeAsync threw an exception";
debug = ex.Message;
}
var queryString = $"message={message}&debug={debug}";
if (queryString.Length > 2048)
{
queryString = queryString.Substring(0, 2040) + "...";
}
notification.HandleResponse();
notification.Response.Redirect($"/Home/Error?{queryString}");
}
private Task OnAuthenticationFailedAsync(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
notification.HandleResponse();
string redirect = $"/Home/Error?message={notification.Exception.Message}";
if (notification.ProtocolMessage != null && !string.IsNullOrEmpty(notification.ProtocolMessage.ErrorDescription))
{
redirect += $"&debug={notification.ProtocolMessage.ErrorDescription}";
}
notification.Response.Redirect(redirect);
return Task.FromResult(0);
}
解決方案2
0 2022-01-28 21:57:11
更改后我得到“'authority'應該是URI格式。Parameternamn:authority”
Azure 使用 .net 核心 3.1 中的 azure 活動目錄(單租戶)的廣告身份驗證和授權?
[英]Azure Ad authentication and authorization using azure active directory (single tenant) in .net core 3.1?
無法使用GraphServiceClient更新Azure Active Directory B2C用戶 - ASP.NET MVC
[英]Can't update Azure Active Directory B2C user using GraphServiceClient - ASP.NET MVC
Azure Active Directory 不會使用 ASP.NET Core 2.1 MVC 注銷
[英]Azure Active Directory won't logout using ASP.NET Core 2.1 MVC
Asp.net Identity使用密碼和Azure Active Directory身份驗證
[英]Asp.net Identity using password and Azure Active Directory authentication
使用ASP.NET MVC 3和C#的Active Directory身份驗證
[英]Active Directory authentication using ASP.NET MVC 3 and c#
使用Angular.JS Active Directory身份驗證的ASP.NET MVC4應用程序
[英]ASP.NET MVC4 application using Angular.JS Active Directory Authentication
在ASP.NET MVC中使用客戶端證書進行Active Directory身份驗證
[英]Active Directory Authentication using Client Certificate in ASP.NET MVC
使用Owin中間件進行Active Directory身份驗證的ASP.Net MVC
[英]ASP.Net MVC with Active Directory Authentication using Owin Middleware
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
帶有ASP.NET MVC的Azure活動目錄
Azure 使用 .net 核心 3.1 中的 azure 活動目錄(單租戶)的廣告身份驗證和授權?
無法使用GraphServiceClient更新Azure Active Directory B2C用戶 - ASP.NET MVC
Azure Active Directory 不會使用 ASP.NET Core 2.1 MVC 注銷
Asp.net Identity使用密碼和Azure Active Directory身份驗證
在 asp.net MVC 中使用活動目錄進行身份驗證
使用ASP.NET MVC 3和C#的Active Directory身份驗證
使用Angular.JS Active Directory身份驗證的ASP.NET MVC4應用程序
在ASP.NET MVC中使用客戶端證書進行Active Directory身份驗證
使用Owin中間件進行Active Directory身份驗證的ASP.Net MVC
相關標簽