azure - 具有承载授权的 Azure 多租户 ASP.Net-Core 应用程序
问题描述
如何为多租户应用设置承载授权?
它是单页应用程序。在浏览器站点应用程序上使用Adal.js对用户进行身份验证。身份验证后,应用程序使用 Authorization Bearer 标头向 ASP.Net-Core 服务器端发送请求。
ASP.Net-Core 使用Microsoft.AspNetCore.Authentication.JwtBearer来检查请求。这是启动:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));
// ... other ...
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseAuthentication();
// ... other ...
}
}
这是 AddAzureAdBearer 方法:
public static class AzureAdServiceCollectionExtensions
{
public static AuthenticationBuilder AddAzureAdBearer(this AuthenticationBuilder builder)
=> builder.AddAzureAdBearer(_ => { });
public static AuthenticationBuilder AddAzureAdBearer(this AuthenticationBuilder builder, Action<AzureAdOptions> configureOptions)
{
builder.Services.Configure(configureOptions);
builder.Services.AddSingleton<IConfigureOptions<JwtBearerOptions>, ConfigureAzureOptions>();
builder.AddJwtBearer();
return builder;
}
private class ConfigureAzureOptions : IConfigureNamedOptions<JwtBearerOptions>
{
private readonly AzureAdOptions AzureOptions;
public ConfigureAzureOptions(IOptions<AzureAdOptions> azureOptions)
{
AzureOptions = azureOptions.Value;
}
public void Configure(string name, JwtBearerOptions options)
{
options.Audience = AzureOptions.ClientId;
// this works (specific TenantId)
// options.Authority
// = "https://login.microsoftonline.com/f8811864-6950-4347-af1c-9d22bb3d0615"
// this did not work (common instead of specific TenantId)
// options.Authority
// = "https://login.microsoftonline.com/common";
options.Authority = $"{AzureOptions.Instance}{AzureOptions.TenantId}";
}
public void Configure(JwtBearerOptions options)
{
Configure(Options.DefaultName, options);
}
}
}
对于单租户,这可以按预期工作,可以使用 [Authorize] 属性标记控制器
[Route("api/[controller]")]
[Authorize]
public class CalendarController : Controller
{
对于多租户,我将 Adal.js 设置为公共端点,并且它正在工作(用户可以成功登录)。但是 ASP.Net-Core 服务器无法检查 Bearer 标头,对于单租户
JwtBearerOptions.Authority = " https://login.microsoftonline.com/f8811864-6950-4347-af1c-9d22bb3d0615 "
对于多租户,我尝试发送
JwtBearerOptions.Authority = " https://login.microsoftonline.com/common "
ASP.Net-Core 服务器返回未经授权的响应。
更新
发布共同端点:像租户一样走路,像租户一样说话……但不是租户描述了具有共同权限的问题的原因。
简而言之:令牌(作为 Authorization Bearer 标头发送并且必须在服务器端进行验证)包含“颁发者”字符串,如下所示:https://sts.windows.net/<TENAT_ID>
. <TENAT_ID>
- 将是真实的<TENAT_ID>
而不是“普通”字符串。
因此,当 Authorization Bearer 标头验证时,“issuer”字符串与配置的 options.Authority 设置进行比较。
要解决此问题,可以禁用颁发者验证。并自己制作:
public void Configure(string name, JwtBearerOptions options)
{
options.Audience = AzureOptions.ClientId;
options.TokenValidationParameters = new TokenValidationParameters{
ValidateIssuer = false
};
options.Events = new JwtBearerEvents()
{
OnTokenValidated = (context) =>
{
if(!context.SecurityToken.Issuer.StartsWith("https://sts.windows.net/"))
throw new SecurityTokenValidationException();
return Task.FromResult(0);
}
};
options.Authority = $"{AzureOptions.Instance}{AzureOptions.TenantId}";
}
我不确定检查 Issuer 是否正确。请让我知道它是否正确。
解决方案
此处的这篇文章展示了如何进行自定义颁发者验证。https://thomaslevesque.com/2018/12/24/multitenant-azure-ad-issuer-validation-in-asp-net-core/
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/common";
options.Audience = configuration["AzureAdSettings:ClientId"];
options.RequireHttpsMetadata = true; // or false if you dont have https
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerValidator = (issuer, token, parameters) => issuer
//allows any issuer or use `ValidateIssuerWithPlaceholder`
};
});
该帖子具有此方法来验证令牌
private static string ValidateIssuerWithPlaceholder(string issuer, SecurityToken token, TokenValidationParameters parameters)
{
// Accepts any issuer of the form "https://login.microsoftonline.com/{tenantid}/v2.0",
// where tenantid is the tid from the token.
if (token is JwtSecurityToken jwt)
{
if (jwt.Payload.TryGetValue("tid", out var value) &&
value is string tokenTenantId)
{
var validIssuers = (parameters.ValidIssuers ?? Enumerable.Empty<string>())
.Append(parameters.ValidIssuer)
.Where(i => !string.IsNullOrEmpty(i));
if (validIssuers.Any(i => i.Replace("{tenantid}", tokenTenantId) == issuer))
return issuer;
}
}
// Recreate the exception that is thrown by default
// when issuer validation fails
var validIssuer = parameters.ValidIssuer ?? "null";
var validIssuers = parameters.ValidIssuers == null
? "null"
: !parameters.ValidIssuers.Any()
? "empty"
: string.Join(", ", parameters.ValidIssuers);
string errorMessage = FormattableString.Invariant(
$"IDX10205: Issuer validation failed. Issuer: '{issuer}'. Did not match: validationParameters.ValidIssuer: '{validIssuer}' or validationParameters.ValidIssuers: '{validIssuers}'.");
throw new SecurityTokenInvalidIssuerException(errorMessage)
{
InvalidIssuer = issuer
};
}
当您为中间件指定授权时,它将自动尝试查找公钥以验证令牌,如此处所述https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2 /问题/7
推荐阅读
- javascript - HTML 自动隐藏/显示中的“阅读更多”按钮
- oracle - 在 Oracle 更新触发器 pl/sql 中获取更新记录的 ID
- vba - EXCEL VBA 使用多行循环运行求解器
- r - 使用 mutate_at 舍入 dcast data.frame 中的所有条目仅按预期舍入一些观察值
- php - 简单的 Docker/Nginx 错误 - PHP/Laravel
- python - 添加“raise”语句有区别吗?
- xml - 如何在自动完成部分将 xml 文件上传到 google cse?
- c# - 可以结合使用 Microsoft Azure SQL 和 Azure 存储吗?
- python - PyQT实时显示串口数据在QtCore.QTimer.singleShot()上抛出最大递归深度超出异常
- excel - 频率表的 Excel 公式