【问题标题】:Local account and option for Azure AD authentication using IdentityServer3使用 IdentityServer3 进行 Azure AD 身份验证的本地帐户和选项
【发布时间】:2017-09-14 11:05:52
【问题描述】:

我是 IdentityServer 的新手。我们要求应用程序允许访问多个 Web API。到目前为止,身份验证是使用数据库在本地完成的,并且有另一种方法可以通过 Azure AD 进行身份验证。

我希望我的仪表板应用程序使用 IdentityServer3(目前工作正常)进行身份验证,或者使用外部提供程序(在本例中为 Azure AD)进行身份验证。

但是我一直在得到

在确定您要登录的应用程序时出错。返回应用程序并重试

服务器的配置,我用的是CustomViewServicefound at here

我正在将 Azure AD 添加到外部提供商列表中:

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{

  ClientId = "xxxxxx-xxx-xxx-xx-04ec8dbxxxx",
  Authority = "https://login.windows.net/[domain name]",
  RedirectUri = "https://localhost:44333/core",
  PostLogoutRedirectUri = "http://localhost:36336/",
  AuthenticationType = "Azure AD",
  Caption = "Azure AD",
  TokenValidationParameters = new TokenValidationParameters
  {
    NameClaimType = "name",
    RoleClaimType = "role"
  },
  SignInAsAuthenticationType = "Cookies",

  Notifications = new OpenIdConnectAuthenticationNotifications
  {
    MessageReceived = m =>
    {
      var split = m.ProtocolMessage.AccessToken;
      return Task.FromResult(0);
    },
    AuthenticationFailed = context =>
    {
      context.HandleResponse();
      context.Response.Redirect("/Error?message=" + context.Exception.Message);
      return Task.FromResult(0);
    },
    RedirectToIdentityProvider = (context) =>
    {
      context.ProtocolMessage.DomainHint = "[domain name here]";
      return Task.FromResult(0);
    }
  }
});

我看到 Azure AD 登录屏幕,之后应用程序被转移回位于 https://localhost:44333/core/callback 的 IdentityServ3

我的客户在http://localhost:36336/

客户端配置为:

public void Configuration(IAppBuilder app)
{
  // For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=316888
  JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

  app.UseCookieAuthentication(new CookieAuthenticationOptions
  {
    AuthenticationType = "Cookies"
  });

  app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
  {
    ClientId = "mvc.owin.hybrid.2",
    Authority = "https://localhost:44333/core",
    RedirectUri = "http://localhost:36336/",
    PostLogoutRedirectUri = "http://localhost:36336/",
    ResponseType = "code id_token",
    Scope = "openid profile read write offline_access",

    TokenValidationParameters = new TokenValidationParameters
    {
      NameClaimType = "name",
      RoleClaimType = "role"
    },

    SignInAsAuthenticationType = "Cookies",

    Notifications = new OpenIdConnectAuthenticationNotifications
    {
      AuthorizationCodeReceived = async n =>
      {
        // use the code to get the access and refresh token
        var tokenClient = new TokenClient(
        "https://localhost:44333/core/connect/token",
        "mvc.owin.hybrid.2",
        "secret");

        var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
        n.Code, n.RedirectUri);

        if (tokenResponse.IsError)
        {
          throw new Exception(tokenResponse.Error);
        }

        // use the access token to retrieve claims from userinfo
        var userInfoClient = new UserInfoClient(
        new Uri(n.Options.Authority + "/connect/userinfo"),
        tokenResponse.AccessToken);

        var userInfoResponse = await userInfoClient.GetAsync();

        // create new identity
        var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
        id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims);

        id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
        id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
        id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
        id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
        id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));

        n.AuthenticationTicket = new AuthenticationTicket(
        new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
        n.AuthenticationTicket.Properties);
      },

      RedirectToIdentityProvider = n =>
      {
        // if signing out, add the id_token_hint
        if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
        {
          var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");

          if (idTokenHint != null)
          {
            n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
          }
        }

        return Task.FromResult(0);
      }
    }
  });
}

【问题讨论】:

  • 您能否进行 Fiddler 跟踪或使用开发人员工具 (F12) 查看 Azure AD 对 IdentityServer 的响应? Azure AD 是发回令牌还是错误消息?
  • azure 广告工作正常,我检查了 azure abt 用户身份验证的日志

标签: c# azure-active-directory identityserver3


【解决方案1】:

设法解决了。

我忘了实现AspNetIdentityUserService 特别是方法AuthenticateExternalAsync

一旦我将用户和声明从 Azure 映射到它工作的本地用户。

此外,如果您需要隐藏本地登录屏幕并希望您的客户端直接转到 Azure AD 登录屏幕,请确保在客户端属性中将 EnableLocalLogin 设置为 false

【讨论】:

    猜你喜欢
    • 2016-08-14
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2019-03-13
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多