reactjs - Cors 使用 AAD 身份验证从 React 前端消耗 API 时出错
问题描述
我使用Yeoman Teams App Generator生成了一个带有内置 Azure AD 单点登录的样板 ReactJS Teams 应用程序。
这行得通。Teams 应用通过 Azure AD 进行身份验证(在后台)并从我的用户配置文件中提取一些数据。
现在我希望这个 Teams 应用使用 API。此 API 是一个 ASP.NET Core 网站,它使用相同的 AAD 应用程序进行身份验证。但是,当我尝试在 Teams 应用程序中从此 API 获取数据时,它会失败并出现以下错误:
Access to fetch at 'https://login.microsoftonline.com/xxxx-xxx-xxx-xxx-xxxxx/oauth2/authorize?client_id=xxx-xxx-xxx-xxx-xxx&redirect_uri=https%3A%2F%2Flocalhost%3A44391%2Fsignin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=xxx'
(redirected from 'https://localhost:44391/User') from origin 'null' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
我检查了 AAD 应用程序中的设置,并没有发现任何问题。
反应代码是:
import * as React from "react";
import { Provider, Flex, Text, Button, Header } from "@fluentui/react-northstar";
import { useState, useEffect } from "react";
import { useTeams } from "msteams-react-base-component";
import * as microsoftTeams from "@microsoft/teams-js";
import jwtDecode from "jwt-decode";
/**
* Implementation of the Telefoonboek content page
*/
export const TelefoonboekTab = () => {
const [{ inTeams, theme, context }] = useTeams();
const [entityId, setEntityId] = useState<string | undefined>();
const [name, setName] = useState<string>();
const [error, setError] = useState<string>();
useEffect(() => {
if (inTeams === true) {
microsoftTeams.authentication.getAuthToken({
successCallback: (token: string) => {
const decoded: { [key: string]: any; } = jwtDecode(token) as { [key: string]: any; };
setName(decoded!.name);
microsoftTeams.appInitialization.notifySuccess();
},
failureCallback: (message: string) => {
setError(message);
microsoftTeams.appInitialization.notifyFailure({
reason: microsoftTeams.appInitialization.FailedReason.AuthFailed,
message
});
},
resources: [process.env.TELEFOONBOEK_APP_URI as string]
});
} else {
setEntityId("Not in Microsoft Teams");
}
}, [inTeams]);
useEffect(() => {
if (context) {
setEntityId(context.entityId);
}
}, [context]);
fetch("/User")
.then(response => response.json())
.then(data => console.log(data));
/**
* The render() method to create the UI of the tab
*/
return (
<Provider theme={theme}>
<Flex fill={true} column styles={{
padding: ".8rem 0 .8rem .5rem"
}}>
<Flex.Item>
<Header content="This is your tab" />
</Flex.Item>
<Flex.Item>
<div>
<div>
<Text content={`Hello ${name}`} />
</div>
{error && <div><Text content={`An SSO error occurred ${error}`} /></div>}
<div>
<Button onClick={() => alert("It worked!")}>A sample button</Button>
</div>
</div>
</Flex.Item>
<Flex.Item styles={{
padding: ".8rem 0 .8rem .5rem"
}}>
<Text size="smaller" content="(C) Copyright Zetacom" />
</Flex.Item>
</Flex>
</Provider>
);
};
API 启动.cs:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.SpaServices.ReactDevelopmentServer;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.AspNetCore.Authorization;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authentication.AzureAD.UI;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using System;
namespace UserPresence
{
public class Startup
{
private static readonly string CustomApiScheme = "CustomApiScheme";
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy(name: "CorsPolicy",
builder =>
{
builder.AllowAnyOrigin();
});
});
//ConfigureAuthentication(services);
services.AddDbContext<dbContext>(options => options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddTransient<UserModel>();
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
// In production, the React files will be served from this directory
services.AddSpaStaticFiles(configuration =>
{
configuration.RootPath = "ClientApp/build";
});
}
private void ConfigureAuthentication(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = AzureADDefaults.CookieScheme;
options.DefaultChallengeScheme = CustomApiScheme;
options.DefaultSignInScheme = AzureADDefaults.CookieScheme;
})
.AddAzureAD(options =>
{
Configuration.Bind("AzureAd", options);
})
.AddScheme<AuthenticationSchemeOptions, CustomApiAuthenticationHandler>(CustomApiScheme, options => { });
services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
{
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.SameSite = SameSiteMode.Lax;
options.Cookie.MaxAge = new TimeSpan(7, 0, 0, 0);
});
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Authority = options.Authority + "/v2.0/"; // Microsoft identity platform
options.TokenValidationParameters.ValidateIssuer = false; // accept several tenants (here simplified)
});
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseSpaStaticFiles();
app.UseRouting();
app.UseCors("CorsPolicy");
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller}/{action=Index}/{id?}");
});
}
}
}
编辑:
我在 API 上添加了“AllowAnyOrigin”等。现在 Teams 中的错误是:
Access to XMLHttpRequest at 'https://login.microsoftonline.com/xxxxxxxxxxxx/oauth2/authorize?client_id=xxxxxxx&redirect_uri=https%3A%2F%2Flocalhost%3A44391%2Fsignin-oidc&xxx'
(redirected from 'https://xxxx.eu.ngrok.io/User') from origin 'https://xxxx.eu.ngrok.io' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
解决方案
您的错误是由 CORS 政策引起的,我在我身边进行了测试,builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();然后它就起作用了。
但不是使用 ngrok,我将我的 MVC 程序部署到 azure 应用服务。
推荐阅读
- python - 如何以简单的方式验证和分配我的输出
- javascript - 为什么尽管发送所有数据都正确,但仍收到此错误代码 500?
- spring - 来自 Ionic 的 Spring Security LDAP 身份验证
- android - 如何检查是否是第一次启动应用程序?
- laravel - Laravel 安装在子文件夹和 Horizon 中不起作用
- python - 如何解决 AssertionError 以使用运行长度编码将字符串字符转换为字节?
- python - 使用 Tkinter 时,NoneType 对象在 Python 中没有属性“销毁”错误
- c# - Lock 和 Mutex 显示不同的结果
- java - ExecutorService 和 Future 正在阻塞主线程
- ios - 使用 Audiokit v5 实现麦克风分析