问题描述
我正在尝试让Owin使用Azure AD在asp.net Web应用程序中工作。这是配置Owin的启动代码。
public class Startup
{
// The Client ID is used by the application to uniquely identify itself to Microsoft identity platform.
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
// RedirectUri is the URL where the user will be redirected to after they sign in.
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
// Tenant is the tenant ID (e.g. contoso.onmicrosoft.com,or 'common' for multi-tenant)
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
// Authority is the URL for authority,composed by Microsoft identity platform endpoint and the tenant name (e.g. https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0)
string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture,System.Configuration.ConfigurationManager.AppSettings["Authority"],tenant);
/// <summary>
/// Configure OWIN to use OpenIdConnect
/// </summary>
/// <param name="app"></param>
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationoptions());
app.USEOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationoptions
{
// Sets the ClientId,authority,RedirectUri as obtained from web.config
ClientId = clientId,Authority = authority,RedirectUri = redirectUri,// PostlogoutRedirectUri is the page that users will be redirected to after sign-out. In this case,it is using the home page
PostlogoutRedirectUri = redirectUri,Scope = OpenIdConnectScope.OpenIdProfile,// ResponseType is set to request the id_token - which contains basic @R_699_4045@ion about the signed-in user
ResponseType = OpenIdConnectResponseType.IdToken,// ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
// To only allow users from a single organizations,set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
// To allow users from only a list of specific organizations,set ValidateIssuer to true and use Validissuers parameter
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false // This is a simplification
},// OpenIdConnectAuthenticationNotifications configures OWIN to send notification of Failed authentications to OnAuthenticationFailed method
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,MessageReceived = OnMessageReceived
}
}
);
}
/// <summary>
/// Handle Failed authentication requests by redirecting the user to the home page with an error in the query string
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage,OpenIdConnectAuthenticationoptions> context)
{
context.HandleResponse();
context.Response.Redirect("/?errormessage=" + context.Exception.Message);
return Task.Fromresult(0);
}
private Task OnMessageReceived(MessageReceivednotification<OpenIdConnectMessage,OpenIdConnectAuthenticationoptions> notification)
{
string tmp = notification.ProtocolMessage.ErrorDescription;
return Task.Fromresult(0);
}
}
除非我在Azure AD中启用隐式流,否则此代码将不起作用。由于安全原因,我不想使用隐式流。我宁愿使用授权流程。我需要进行哪些更改,以便此代码在不启用Azure中的隐式流的情况下可以正常工作?
解决方法
根据您的代码,您使用OpenID Connect协议将Azure AD身份验证集成到您的应用程序中。如果是这样,则在AD门户中的应用程序注册必须在“身份验证”选项卡(将应用程序清单中的oauth2AllowIdTokenImplicitFlow标志设置为true)中启用对id_tokens的隐式授权。这样,用户可以从/authorization端点成功请求ID令牌。如果我们不这样做,将会得到unsupported_response错误。有关更多详细信息,请参阅here。
