我在 O365 身份验证方面遇到了一个烦人的问题,我使用的方法与 MS Graph 快速入门项目的示例项目中的方法相同。
它大约在 30 分钟前工作,当我在私人浏览器中打开应用程序时,实际上仍然有效。
调用图形 API 时,我收到错误
代码:身份验证失败
消息:错误 - 需要身份验证质询
在调用AcquireTokenSilentAsync时的SampleAuthProviderGetUserAccessTokenAsync方法中:
public async Task<string> GetUserAccessTokenAsync()
{
string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
HttpContextWrapper httpContext = new HttpContextWrapper(HttpContext.Current);
TokenCache userTokenCache = new SessionTokenCache(signedInUserID, httpContext).GetMsalCacheInstance();
//var cachedItems = tokenCache.ReadItems(appId); // see what's in the cache
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appSecret),
userTokenCache,
null);
try
{
AuthenticationResult result = await cca.AcquireTokenSilentAsync(scopes.Split(new char[] { ' ' }), cca.Users.First());
return result.AccessToken;
}
// Unable to retrieve the access token silently.
catch (Exception)
{
HttpContext.Current.Request.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties() { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
throw new ServiceException(
new Error
{
Code = GraphErrorCode.AuthenticationFailure.ToString(),
Message = "Error - auth challenge needed",
});
}
}
所以我尝试使用默认方法注销以查看是否可以重新进行身份验证,但我再也没有看到登录屏幕,当我在帐户控制器中调用登录操作时,它说请求已通过身份验证:
public void SignIn()
{
if (!Request.IsAuthenticated)
{
// Signal OWIN to send an authorization request to Azure.
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}
// Here we just clear the token cache, sign out the GraphServiceClient, and end the session with the web app.
public void SignOut()
{
if (Request.IsAuthenticated)
{
// Get the user's token cache and clear it.
string userObjectId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
SessionTokenCache tokenCache = new SessionTokenCache(userObjectId, HttpContext);
HttpContext.GetOwinContext().Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
}
SDKHelper.SignOutClient();
// Send an OpenID Connect sign-out request.
HttpContext.GetOwinContext().Authentication.SignOut(
CookieAuthenticationDefaults.AuthenticationType);
Response.Redirect("/");
}
}
同样,这在私人浏览器窗口中工作正常。系统要求我登录,我可以使用 SDK 查询图形 API。
我也可以在不同的浏览器中很好地运行代码,因此这显然与浏览器缓存我的凭据有关,但是如何在不清除整个浏览器历史记录的情况下克服这一点?
为什么?如果代码认为我已登录,即使我注销了,我应该如何进行身份验证为什么SignOut方法不注销我?
请有人建议,我完全迷路了
您可能希望调用 do 以如下示例:https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/Controllers/TodoListController.cs#L116:
// Send an OpenID Connect sign-in request to get a new set of tokens.
// If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
// The OpenID Connect middleware will return to this controller after the sign-in response has been handled.
//
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties(),
OpenIdConnectAuthenticationDefaults.AuthenticationType)
或者只是在其他控制器上调用登录
此外,注销只是故事的一部分。 它会触发与 Azure AD 的往返,该 AD 请求应用删除 AAD 会话 Cookie。 还需要处理来自 Azure AD 的此回调,如在EndSession方法中所示
https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/Controllers/AccountController.cs#L56
我建议您阅读 active-directory-dotnet-webapp-webapi-openidconnect 的 Readme.md,以了解在您的 Web 应用程序中注册此 EndSession 操作。