1
我的MVC WebApp部署到Azure Paas並使用Azure AD進行保護。身份驗證設置使用下面的示例代碼作爲其基礎,並且使用IISExpress或IIS在localhost中工作。未針對Azure Active Directory的Azure WebApp調用OpenIdConnectAuthenticationNotifications.AuthorizationCodeReceived事件
https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect
但它部署後不工作天青。即使用戶將正確認證,也不會調用AuthorizationCodeReceived委託。
這是啓動代碼,設置驗證:
void ConfigureAuth(IAppBuilder app, Container container) {
_log.Debug("Configuring Azure Authentication");
AzureActiveDirectoryAppSetting setting = container.GetInstance<IAzureActiveDirectoryAppSettingFactory>().Get();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions() {
ClientId = setting.ClientID,
Authority = setting.Authority,
PostLogoutRedirectUri = setting.PostLogoutRedirectUrl,
RedirectUri = setting.ReplyUrl,
Notifications = new OpenIdConnectAuthenticationNotifications() {
AuthorizationCodeReceived = new Func<Microsoft.Owin.Security.Notifications.AuthorizationCodeReceivedNotification, System.Threading.Tasks.Task>(args => OnAuthorizationCodeReceived(args, container)),
AuthenticationFailed = new Func<Microsoft.Owin.Security.Notifications.AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>, System.Threading.Tasks.Task>(OnAuthorizationFailed),
}
}
);
}
System.Threading.Tasks.Task OnAuthorizationFailed(Microsoft.Owin.Security.Notifications.AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> args) {
_log.Error("Authorization Failed");
return System.Threading.Tasks.Task.FromResult<string>(null);
}
System.Threading.Tasks.Task OnAuthorizationCodeReceived(Microsoft.Owin.Security.Notifications.AuthorizationCodeReceivedNotification args, Container container) {
_log.Debug("Authorization Code Received");
var auth = container.GetInstance<IClaimsBasedAuthentication>();
return auth.ReceiveSecurityClaim(args.Code, args.AuthenticationTicket.Identity, HttpContext.Current);
}
下面是來自Azure的痕跡。正如您所看到的,身份驗證成功,但「授權失敗」或「授權代碼已接收」跟蹤無法找到。第一個錯誤來自AcquireTokenSilentAsync調用。它失敗了,因爲令牌沒有被緩存在第一位。
任何幫助表示讚賞。謝謝!
- 2017-06-10T22:18:59 PID[7692] Verbose Albatross.Security.AzureADOpenIDAuthentication:AzureADOpenIDAuthentication Created
- 2017-06-10T22:18:59 PID[7692] Information Albatross.Web.App_Start.Startup:Web App Configuration
- 2017-06-10T22:18:59 PID[7692] Information Albatross.Web.App_Start.Startup:All areas registered
- 2017-06-10T22:18:59 PID[7692] Information Albatross.Web.App_Start.Startup:Routes registered
- 2017-06-10T22:18:59 PID[7692] Information Albatross.Web.App_Start.Startup:Bundles registered
- 2017-06-10T22:18:59 PID[7692] Verbose Albatross.Web.App_Start.Startup:Configuring Azure Authentication
- 2017-06-10T22:18:59 PID[7692] Verbose Albatross.Web.App_Start.Startup:ClientID:xxx
- 2017-06-10T22:18:59 PID[7692] Verbose Albatross.Web.App_Start.Startup:Authority:https://login.microsoftonline.com/rushuioutlook.onmicrosoft.com
- 2017-06-10T22:18:59 PID[7692] Verbose Albatross.Web.App_Start.Startup:PostLogoutRedirectUrl:https://albatrossweb.azurewebsites.net/.auth/login/aad/callback/
- 2017-06-10T22:18:59 PID[7692] Verbose Albatross.Web.App_Start.Startup:ReplyUrl:https://albatrossweb.azurewebsites.net/.auth/login/aad/callback/
- 2017-06-10T22:18:59 PID[7692] Verbose Albatross.Web.App_Start.Startup:Tenant:rushuioutlook.onmicrosoft.com
- 2017-06-10T22:19:00 PID[7692] Verbose Received request: GET http://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00 PID[7692] Information Redirecting: https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00 PID[7692] Verbose Received request: GET https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:00 PID[7692] Information Redirecting: https://login.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Falbatrossweb.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=40ca9b08-b857-4307-9ba3-5815031e9ddf&scope=openid+profile+email&response_mode=form_post&nonce=4a0abda18cf6448fb5b8095efb546871_- 20170610222400&state=redir%3D%252F
- 2017-06-10T22:19:29 PID[7692] Verbose Received request: POST https://albatrossweb.azurewebsites.net/.auth/login/aad/callback
- 2017-06-10T22:19:29 PID[7692] Verbose JWT validation succeeded. Subject: 'iit96kJ_mJn8Qt0f3kKAZm3qFKMGR2BMjVEnI45JBRc', Issuer: 'https://sts.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/'.
- 2017-06-10T22:19:29 PID[7692] Verbose Calling into external HTTP endpoint POST https://login.windows.net/25dd3578-72e5-4b70-a97b-3cc94f9d69cc/oauth2/token.
- 2017-06-10T22:19:29 PID[7692] Information Login completed for '[email protected]'. Provider: 'aad'.
- 2017-06-10T22:19:29 PID[7692] Verbose Writing 'AppServiceAuthSession' cookie for site 'albatrossweb.azurewebsites.net'. Length: 940.
- 2017-06-10T22:19:29 PID[7692] Information Redirecting: https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:31 PID[7692] Verbose Received request: GET https://albatrossweb.azurewebsites.net/
- 2017-06-10T22:19:31 PID[7692] Verbose Found 'AppServiceAuthSession' cookie for site 'albatrossweb.azurewebsites.net'. Length: 940.
- 2017-06-10T22:19:31 PID[7692] Verbose Authenticated [email protected] successfully using 'Session Cookie' authentication.
- 2017-06-10T22:19:31 PID[7692] Verbose [Routes(Preview)] No authorization configuration was found.
- 2017-06-10T22:19:33 PID[7692] Error Albatross.Web.Controllers.ServiceController:Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException: Failed to acquire token silently as no token was found in the cache. Call method AcquireToken
編輯爲澄清標記答案:
正如俞楠說,這個問題是可以被啓用的「身份驗證/授權」功能時重複。工作設置如下圖所示。
- 確保「應用服務的身份驗證」是在
- 行動時,請求未通過身份驗證採取:允許匿名請求(無動作) 這就是讓我卡住了一個月。我曾在「使用Azure Active Directory登錄」
- 正確配置Azure Active Directory。你可以在教程中找到這個信息。
嘗試在Open ID Connect選項中設置'ResponseType =「code id_token」'。這很奇怪,雖然我不必指定它,但仍然有一個代碼。 – juunas