【问题标题】:Azure Active Directory API always shown forbidden messageAzure Active Directory API 始终显示禁止消息
【发布时间】:2020-03-25 05:46:10
【问题描述】:

我是使用 Azure Active Directory 实施的初学者。我有一个带有 Azure Active Directory 保护的 WEB API (.net core)。我正在尝试通过 Postman 使用我的 WEB API,我知道它需要一个 Auth2 令牌来使用 Web API。我已经根据documentation link 生成了 auth2 令牌。

生成 Auth2 令牌后,在头部添加 auth2 令牌,如 Authorization: Bearer e....,但结果总是如下图所示。

我确定我会在“API 权限”部分提供所需的权限,并且“权限类型”在 Azure 门户中是“委派权限”。

请看我的启动课:

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc(o =>
        {
            o.Filters.Add(new AuthorizeFilter("default"));
        }).SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

        services.AddAuthorization(o =>
        {
            o.AddPolicy("default", policy =>
            {
                // Require the basic "Access app-name" claim by default
                policy.RequireClaim(DotNetCoreApiSample.Authorization.Constants.ScopeClaimType, "user_impersonation");
            });
        });

        services
            .AddAuthentication(o =>
            {
                o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(o =>
            {
                o.Authority = Configuration["Authentication:Authority"];
                o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                {
                    // Both App ID URI and client id are valid audiences in the access token
                    ValidAudiences = new List<string>
                    {
                    Configuration["Authentication:AppIdUri"],
                    Configuration["Authentication:ClientId"]
                    }
                };
            });
        // Add claims transformation to split the scope claim value
        services.AddSingleton<IClaimsTransformation, AzureAdScopeClaimTransformation>();
    }

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        // Very important that this is before MVC (or anything that will require authentication)
        app.UseAuthentication();

        app.UseMvc();
    }
}

【问题讨论】:

    标签: .net azure asp.net-web-api azure-active-directory azureportal


    【解决方案1】:

    根据我的测试,一旦您配置了策略,您可以使用范围{your resource url}/user_impersonation 来要求访问令牌,然后您可以使用访问令牌调用您的应用程序。否则,您将收到 403 错误。请通过link 检查您的访问令牌以确保您的范围

    我的测试代码如下 1.Stratup.cs

    
    
    
     public void ConfigureServices(IServiceCollection services)
            {
                services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
                var tenatId = Configuration["AzureAd:TenantId"];
                  services
                 .AddAuthentication(o =>
                 {
                     o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                 })
                 .AddJwtBearer(o =>
                 {
                     o.Authority = "https://login.microsoftonline.com/<tenant id>/v2.0";
                     o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                     {
    
    
    
    
                         ValidIssuers = new[] {
                         "https://sts.windows.net/<tenant id>/",
                      "https://login.microsoftonline.com/<tenant id>/v2.0"
    
    
    
                         },
                        // Both App ID URI and client id are valid audiences in the access token
                        ValidAudiences = new List<string>
                         {
                        "<app id>",
                        "<app id url>"
                         }
                     };
                 });
                services.AddAuthorization(o =>
                {
                    o.AddPolicy("default", policy =>
                    {
                      policy.RequireClaim("http://schemas.microsoft.com/identity/claims/scope", "user_impersonation");
                    });
                });
            }
    
    
    
            // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
            public void Configure(IApplicationBuilder app, IHostingEnvironment env)
            {
                if (env.IsDevelopment())
                {
                    app.UseDeveloperExceptionPage();
                }
                else
                {
                    app.UseHsts();
                }
                app.UseAuthentication();
    
    
    
                app.UseHttpsRedirection();
                app.UseMvc();
            }
    
    1. 测试

      一个。获取访问令牌

      b.调用api

    【讨论】:

      猜你喜欢
      • 2017-11-05
      • 1970-01-01
      • 1970-01-01
      • 2019-08-22
      • 1970-01-01
      • 2021-06-26
      • 2017-12-11
      • 1970-01-01
      • 2019-09-29
      相关资源
      最近更新 更多