我设置了两个Azure活动目录应用程序。
为简洁起见,使用App-A和App-B。
A是一个webapp,在本地主机上运行,而B发布到somedomain.azurewebsites.net,并公开一个webapi。
都设置为:
app.UseCookieAuthentication(new CookieAuthenticationOptions(){
AutomaticAuthenticate = true,
AutomaticChallenge = true
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
ClientId = Configuration["Authentication:AzureAd:ClientId"],
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],
TokenValidationParameters = new TokenValidationParameters{
SaveSigninToken = true,
},
Events = new OpenIdConnectEvents{
OnAuthenticationFailed = OnAuthenticationFailed,
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
OnMessageReceived = OnMessageReceived,
OnTicketReceived = OnTicketRecieved,
OnTokenValidated = OnTokenValidated,
OnUserInformationReceived = OnUserInformationReceived,
OnTokenResponseReceived = OnTokenResponseRecieved,
OnRemoteFailure = OnRemoteFailure
}
});
现在App-B允许委派权限给App-A,反之亦然。我还将App-A的回复URL添加到App-B, http://localhost:5000/signin-oidc
App-A在试图访问[Authorize] 'd控制器时,他们必须登录并从Microsoft路由到登录页面。现在在这个登录页面,我怎么能立即允许访问App-B web-api从第一次登录?我可以从最初的握手/登录中以某种方式发送访问令牌吗?或者进行另一次往返以收集类似于下面的令牌的正确方法是什么?
如果我需要做另一个往返,是否有一个示例代码块的地方是最新的?我似乎无法使这段代码工作。
我找到的所有例子都是这样的:
private Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context){
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantID), new EFADALTokenCache(signedInUserID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID);
但是我甚至没有看到code是上下文的属性?我现在用的是最新版本的netcore。
我的主要目标是使用从初始登录中检索到的令牌对App-B端点进行HttpClient调用。
上下文对象已更改:
context.ProtocolMessage.Code
代码流将自动将访问令牌存储在缓存中,您可以随后使用:
authContext.AcquireTokenSilentAsync
使用最新的。netcore更新的示例:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore/tree/master/WebApp-WebAPI-OpenIdConnect-DotNet