我有一个 MVC 应用程序,可以对用户进行身份验证并获取 Graph API 的访问令牌。该应用程序运行没有问题。现在,当应用程序部署到 Azure 网站时,应用程序的设置与代码中配置的设置不同。在本地运行时,它继续运行没有问题,反映了预期的配置。


private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
        private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
        private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
        private static string postlogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostlogoutRedirectUri"];
        private static string authority = aadInstance + tenantId +"/v2.0";
        private static string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
        private static string scopes = "openid profile offline_access";
        string graphResourceId = "https://graph.windows.net";

        public void ConfigureAuth(IAppBuilder app)

            app.UseCookieAuthentication(new CookieAuthenticationoptions());

                new OpenIdConnectAuthenticationoptions
                    ClientId = clientId,Authority = authority,Scope = scopes,ResponseType = OpenIdConnectResponseTypes.CodeIdToken,TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                        // we inject our own multitenant validation logic
                        ValidateIssuer = true,// map the claimsPrincipal's roles to the roles claim
                        RoleClaimType = "roles"
                    },Notifications = new OpenIdConnectAuthenticationNotifications()
                        AuthorizationCodeReceived = OnAuthorizationCodeReceivedAsync,RedirectToIdentityProvider = (context) =>
                            // This ensures that the address used for sign in and sign out is picked up dynamically from the request
                            // this allows you to deploy your app (to Azure Web Sites,for example)without having to change settings
                            // Remember that the base URL of the address used here must be provisioned in Azure AD beforehand.
                            string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
                            context.ProtocolMessage.RedirectUri = appBaseUrl;
                            context.ProtocolMessage.PostlogoutRedirectUri = appBaseUrl;
                            return Task.Fromresult(0);

导航到 Azure 网站上托管的网站时,我得到以下 URL:


注意 response_type(第二行)和 scope(第五行)与配置的不同。



谁能帮我找出为什么会这样?我需要将 response_type 设为 code id_token,以便我可以使用授权码获取访问令牌。


您的旧 Web 服务似乎已损坏,因此无法很好地部署代码。如果你想要原因,最好联系azure支持者。

使用 ASP.NET 的 OpenID Connect 示例:https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet/


    // The Client ID is used by the application to uniquely identify itself to Azure AD.
    string clientId = "ClientId";

    // RedirectUri is the URL where the user will be redirected to after they sign in.
    string redirectUri = "RedirectUri";

    // Tenant is the tenant ID (e.g. tenant-id,or 'common' for multi-tenant)
    static string tenant = "Tenant";

    // Authority is the URL for authority,composed by Microsoft identity platform endpoint and the tenant name (e.g. https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0)
    string authority = "https://login.microsoftonline.com/" + tenant +"/v2.0");

    new OpenIdConnectAuthenticationOptions
        ClientId = clientId,Authority = authority,RedirectUri = redirectUri,PostLogoutRedirectUri = redirectUri,Scope = OpenIdConnectScope.OpenIdProfile,// "openid profile"
        ResponseType = OpenIdConnectResponseType.CodeIdToken,// "code id_token"
        Notifications = new OpenIdConnectAuthenticationNotifications
            AuthenticationFailed = OnAuthenticationFailed