【发布时间】:2017-04-27 05:34:31
【问题描述】:
我创建了一个运行良好的多租户 Web API。现在我想构建一个本地客户端进行测试。 Web API 应用程序在一个租户 (webapitenant) 中定义。测试应用是在另一个租户 (clienttenant) 中定义的,该租户已授予管理员对 Web API 的同意。
我已在 Web API 的应用清单中将 testClientId 添加为 knownClientApplication 并启用了 oauth2AllowImplicitFlow。测试客户端已被授予对 Web API 应用的权限。
获取访问令牌:
var userCredential = new UserCredential("admin@clienttenant.onmicrosoft.com", "password");
var context = new AuthenticationContext("https://login.windows.net/common");
return context.AcquireToken("https://webapitenant.onmicrosoft.com/webApiResourceUri", testClientId, userCredential).AccessToken;
抛出异常: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll
其他信息:AADSTS65001: The user or administrator has not consented to use the application with ID 'nativeclientid'. Send an interactive authorization request for this user and resource.
抛出异常: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll
其他信息:AADSTS65001: The user or administrator has not consented to use the application with ID nativeclientid. Send an interactive authorization request for this user and resource.
更新 我创建了一个虚拟控制台应用程序来强制提交我可以接受的同意书。 ADAL 现在返回令牌,但我的 Web API 拒绝它们(状态 401)。
var parameters = new PlatformParameters(PromptBehavior.Always);
var context = new AuthenticationContext("https://login.windows.net/common");
var token = context.AcquireTokenAsync
("https://webapi.onmicrosoft.com/appuri",
"testappid",
new Uri("https://webapi.azurewebsites.net"), parameters).Result.AccessToken;
Console.WriteLine(token); //Output: oauth token
var client = new HttpClient
{
BaseAddress = new Uri("https://webapi.azurewebsites.net/api/")
};
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
var response = client.GetAsync("tenants").Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
// Output: {"$type":"System.Web.Http.HttpError, System.Web.Http","Message":"Authorization has been denied for this request."}
【问题讨论】:
标签: oauth-2.0 azure-active-directory multi-tenant adal