我们有一个用 ASP.Net Core 2.2 编写的 Web api,我们希望根据 AAD 或 B2C 对用户进行身份验证。这意味着我们有一些端点只能由 AAD 用户访问,其他端点只能由 B2C 用户访问,还有一些端点两者都可以访问。
在 Startup.cs 中我们有
services.AddAuthentication(AzureADB2CDefaults.BearerAuthenticationScheme)
.AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
这些单独工作,但是当我们尝试同时添加两者的配置时,两者都不起作用。
我也尝试过
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options))
.AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));
但这似乎都不起作用。我们如何实现这一目标?
最佳答案
我也遇到了类似的问题并通过自定义策略实现。下面是验证码。
public static void AddAuthorization(this IServiceCollection services, IConfigurationRoot configuration)
{
services.AddAuthentication()
.AddJwtBearer("AAD", options =>
{
options.MetadataAddress = configuration["AzureAd:Instance"] + configuration["AzureAd:TenantId"] +
"/v2.0/.well-known/openid-configuration";
options.Authority = configuration["AzureAd:Instance"] + configuration["AzureAd:TenantId"];
options.Audience = configuration["AzureAd:ClientId"];
options.TokenValidationParameters =
new TokenValidationParameters
{
ValidIssuer = $"https://sts.windows.net/{configuration["AzureAd:TenantId"]}/",
};
options.Events = new JwtBearerEvents
{
OnMessageReceived = context => Task.CompletedTask,
OnChallenge = context => Task.CompletedTask,
OnAuthenticationFailed = (context) =>
{
Console.WriteLine("OnAuthenticationFailed: " + context.Exception.Message);
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
Console.WriteLine("Validated: " + context.SecurityToken);
return Task.CompletedTask;
}
};
})
.AddJwtBearer("B2C", options =>
{
options.Authority = configuration["AzureAdB2C:Instance"] + configuration["AzureAdB2C:Domain"] + "/" + configuration["AzureAdB2C:SignUpSignInPolicyId"] + "/v2.0";
options.Audience = configuration["AzureAdB2C:ClientId"];
options.Events = new JwtBearerEvents
{
OnMessageReceived = context => Task.CompletedTask,
OnChallenge = context => Task.CompletedTask,
OnAuthenticationFailed = (context) =>
{
Console.WriteLine("OnAuthenticationFailed: " + context.Exception.Message);
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
Console.WriteLine("Validated: " + context.SecurityToken);
return Task.CompletedTask;
}
};
});
services
.AddAuthorization(options =>
{
options.AddPolicy("AADUsers", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("AAD")
.Build());
options.AddPolicy("B2CUsers", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("B2C")
.Build());
});
}
在startup.cs中的ConfigureServices中添加以下代码
services.AddAuthorization(Configuration);
现在在你的 Controller 中你可以基于 AD 或 B2CAD 进行这样的装饰
[Authorize(Policy = "B2CUsers")] // For B2C authentication
[Authorize(Policy = "AADUsers")] // For AAD authentication
关于azure - 使用 AD 和 B2C 进行 ASP.Net Core 身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55852498/