我有一个ASP。. NET SPA和基于adal-js的身份验证。. NET Web Api网站与Azure Active Directory认证
两个网站都托管在Azure上,在不同的主机名上,说
https://foo.azurewebsites.com/和https://fooapi.azurewebsites.com/
Web Api网站授权配置为
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
TokenValidationParameters = new TokenValidationParameters() { ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] },
Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
});
}
}
和Main SPA adal.js初始化为:
var config = {
instance: "https://login.microsoftonline.com/",
tenant: "mytenant",
clientId: "client id of foo registration",
postLogoutRedirectUri: "https://foo.azurewebsites.com/",
cacheLocation: "localStorage"
};
authContext = new AuthenticationContext(config);
// Check For & Handle Redirect From AAD After Login
var isCallback = authContext.isCallback(window.location.hash);
authContext.handleWindowCallback();
var errorMessage = authContext.getLoginError();
if (isCallback && !authContext.getLoginError()) {
window.location = authContext._getItem(authContext.CONSTANTS.STORAGE.LOGIN_REQUEST);
}
// Check if View Requires Authentication
if (!authContext.getCachedUser()) {
authContext.config.redirectUri = window.location.href;
authContext.login();
return;
}
foo和fooapi的租户是相同的,客户端id是不同的(每个应用注册一个)。
foo web应用中的认证流程执行成功,但是每个对fooapi的http请求都返回401未授权。
如何让fooapi共享foo的鉴权成功信息
谢谢你的提示
您可以在AAD中使用隐式授权流,以便在API调用时在auth头中接收和发送ID令牌。有关详细信息和示例代码,请参阅下面的链接。
https://azure.microsoft.com/en-gb/documentation/articles/active-directory-authentication-scenarios/single-page-application-spa
https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp如何获取web API的访问令牌?
为了确保请求成功,您需要使用您在web API中配置的资源获取令牌。您可以从这里传递令牌,以检查aud声明是否等于ida:Audience的值。
还要确保令牌是从您在web API项目中配置的租户发出的,因为您没有忽略租户验证。
Please configure your web point into endpoints and add it to initialization.
var endpoints = {`enter code here`
"https://yourhost/api": "b6a68585-5287-45b2-ba82-383ba1f60932",
};
adalAuthenticationServiceProvider.init(
{
// Config to specify endpoints and similar for your app
tenant: "52d4b072-9470-49fb-8721-bc3a1c9912a1", // Optional by default, it sends common
clientId: "e9a5a8b6-8af7-4719-9821-0deef255f68e", // Required
//localLoginUrl: "/login", // optional
//redirectUri : "your site", optional
endpoints: endpoints // If you need to send CORS api requests.
},
$httpProvider // pass http provider to inject request interceptor to attach tokens
);