問題描述

我已將 API 應(yīng)用程序 部署到 Azure，但如果身份驗(yàn)證(使用 AAD)設(shè)置為 ON，我在創(chuàng)建 API 客戶端時遇到問題.

I have deployed an API App to Azure, but I am having problems creating API Client if Authentication (with AAD) is set to ON.

當(dāng)我嘗試生成服務(wù)客戶端時(當(dāng)身份驗(yàn)證關(guān)閉時)，然后生成客戶端代碼(使用 Autorest 完成)并且代碼正在工作，但是當(dāng)我打開身份驗(yàn)證時(以及請求未通過身份驗(yàn)證時采取的操作是設(shè)置為 使用 Azure Active Directory 登錄)，然后

When I try to generate service client (when Authentication is OFF), then client code is generated (it's done with Autorest) and code is working, but when I switch Authentication ON (and Action to take when request is not authenticated is set to Login with Azure Active Directory), then

1) 服務(wù)調(diào)用返回401 Unauthorized(沒有重定向到AAD登錄頁面)

1) service call returned 401 Unauthorized (without redirecting to AAD login page)

2) 然后我嘗試再次生成服務(wù)客戶端(從項(xiàng)目的上下文菜單 -> 添加 -> REST API 客戶端 -> 然后在對話框中我選擇選擇 Azure 資產(chǎn)"并按確定并收到一條消息 無法下載 Microsoft Azure API 應(yīng)用程序的元數(shù)據(jù)文件:...應(yīng)用程序名稱..."(并且沒有可用的其他信息")

2) Then I tried to generate service client once more (from Project's context menu -> Add -> REST API Client -> then in the dialog box I chose "Select Azure Asset" and pressed OK and got a message "Failed to download metadata file for Microsoft Azure API App: ...app name..." (and "no additional information available")

我正在根據(jù)此 Azure 手冊實(shí)施 AAD(使用快速設(shè)置):

I was implementing AAD according to this Azure manual (using express settings):

https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/

也按照此視頻工作，并且此視頻中顯示的所有內(nèi)容都正常工作，除了 AAD 沒有被演示......而且對我來說它不起作用......

Was working according to this video, too and everything what is shown in this video was working, except that AAD was not demonstrated... and for me it's not working...

https://azure.microsoft.com/en-us/documentation/videos/connect-2015-what-s-new-in-app-service-api-apps/

有什么建議嗎?

編輯

1) 如果我在 Web 瀏覽器中輸入請求 url(REST API 客戶端使用)，那么它會返回有效結(jié)果2) 我發(fā)現(xiàn)我正在使用沒有憑據(jù)的 REST API(我認(rèn)為在這種情況下應(yīng)該顯示 Azure AD 登錄屏幕......但事實(shí)并非如此)

1) If I enter the request url (that REST API client uses) in web browser - then it returns valid results 2) I found out that I am using REST API without credentials (I thought Azure AD login screen should be presented in this case... but it isn't)

編輯 2

我取得了一些進(jìn)展 - 進(jìn)入了 AAD 登錄屏幕，但在輸入憑據(jù)后我得到 bearer token，但是當(dāng)我嘗試查詢服務(wù)時，我收到一條錯誤消息:

I got some progress - got to the AAD login screen, but after entering credentials I get the bearer token, but when I try to query the service, I get an error message:

AADSTS65005:客戶端應(yīng)用程序已請求訪問資源https....azurewebsites.net".此請求失敗，因?yàn)榭蛻舳宋丛谄?requiredResourceAccess 列表中指定此資源.跟蹤 ID:4176e...相關(guān) ID:1d612d...時間戳:2016-11-13 18:28:34Z

這些是我已經(jīng)完成的步驟:

These are the steps I've done to get this far:

0) 將 Microsoft.IdentityModel.Clients.ActiveDirectory nuget 包添加到客戶端項(xiàng)目

0) Added Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack to client project

1) 在 Azure Active Directory 中注冊我的客戶端應(yīng)用

1) registered my client app in Azure Active Directory

2) 從客戶端應(yīng)用程序調(diào)用 REST API 時，我正在添加 ServiceClientCredentials

2) when calling REST API from client application, I am adding ServiceClientCredentials

3) 在創(chuàng)建 ServiceClientCredentials 時，我提供了 4 個元素-authority = 這是來自 AAD 應(yīng)用注冊 -> Endpoints => Federation Metadata Document vērtība(沒有起始部分 http://login.windows.net/)

3) when creating ServiceClientCredentials I provide 4 elements -authority = this is from AAD App registrations -> Endpoints => Federation Metadata Document vērtība (without the starting part http://login.windows.net/)

-resource => 這是 REST API uri(=>作為請求令牌接收者的目標(biāo)資源的標(biāo)識符)

-resource => this is REST API uri (=>Identifier of the target resource that is the recipient of the requested token)

-clientId => 這是我在 AAD 中注冊客戶端應(yīng)用程序后獲得的應(yīng)用程序 ID-redirect Uri => 因?yàn)槲业目蛻舳藨?yīng)用程序是本機(jī)應(yīng)用程序，所以這只是任何有效的 url

-clientId => this is application id I get after I registered client app in AAD -redirect Uri => since my client app is a Native application, then this is just any valid url

如何在我的客戶端應(yīng)用程序中指定此資源?

客戶端未在其 requiredResourceAccess 列表中指定此資源

推薦答案

我設(shè)法找到了有關(guān)如何啟用對 Azure REST API 應(yīng)用程序的 AAD 授權(quán)的解決方案.以防萬一有人遇到同樣的挑戰(zhàn)，我希望這會有所幫助.

I managed to find a solution on how to enable AAD authorization to Azure REST API App. Just in case anyone has the same challenge, I hope this will be helpful.

這些是我執(zhí)行的步驟:

1) 在應(yīng)用服務(wù)中 -> 認(rèn)證/授權(quán)

1) In App services -> Authentication/authorization

• 應(yīng)用服務(wù)身份驗(yàn)證 => 開啟
• 請求未通過身份驗(yàn)證時采取的措施 => 使用 AAD 登錄
• 使用 Express 設(shè)置配置 AAD(您必須在此處創(chuàng)建 Azure為您的 API 應(yīng)用程序的廣告應(yīng)用程序 - 即您的服務(wù)的應(yīng)用程序注冊")

2) 在 Azure Active Directory -> 應(yīng)用注冊

2) In Azure Active Directory -> App registrations

• 為您的客戶端應(yīng)用添加注冊
• 編輯客戶端應(yīng)用程序的清單 - 在 requiredResourceAccess 部分中，您必須添加有關(guān) REST API 應(yīng)用程序的信息:
  • resourceAppId -> 在此處插入 REST API App id
  • resourceAccess {id} -> REST API 的 OauthPermission id 值(您可以在 REST API 的清單中獲取它！)
  • Add registration for your client app
  • Edit Manifest of your client app - in the requiredResourceAccess section you must add information about REST API App:
    • resourceAppId -> insert REST API App id here
    • resourceAccess {id} -> OauthPermission id value of REST API (you can get it in REST API's manifest!)

    3) 在您的客戶端應(yīng)用程序中

    3) In your client application

    • 使用 Autorest 生成您的 REST 客戶端(來自解決方案資源管理器:AddREST API 客戶端)或手動創(chuàng)建它
    • 添加 Microsoft.IdentityModel.Clients.ActiveDirectory nuget 包

    • 使用類似下面的代碼獲取并使用令牌來訪問您的 API:

    • generate your REST client using Autorest (from solution explorer: AddREST API client) or create it manually
    • add Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack

    • get and use token to access your API with code similar to this:

        //request
        (..)
        var tokenCreds = getToken();
        ServiceClientCredentials credentials = tokenCreds;
    
        using (var client = new YourAPI(credentials)) {
        ...
        }
        (..)
    
        //getting token
    
    private static TokenCredentials getToken()
    {
        //get this from Federation Metadata Document in 
        //Azure Active Directory App registrations -> Endpoints
        var authority = "f1...";
    
        //Identifier of the target resource that is the recipient of the requested token
        var resource = "https://yourapi.azurewebsites.net";
    
        //client application id (see Azure Active Directory App registration
        //for your client app
        var clientId = "a71...";
    
        //return url - not relevant for Native apps (just has to be valid url)
        var redirectUri = "https://just-some-valid-url.net";
    
        AuthenticationContext authContext =
        new AuthenticationContext(string.Format
        ("https://login.windows.net/{0}",
    authority));
    
        AuthenticationResult tokenAuthResult =
        authContext.AcquireTokenAsync(resource,
        clientId,
        new Uri(redirectUri),
        new PlatformParameters(PromptBehavior.Auto)).Result;
    
        return new TokenCredentials(tokenAuthResult.AccessToken);
    }
    

  這篇關(guān)于如何使用 Azure Active Directory 授權(quán)的 Azure REST API 應(yīng)用程序的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！

  【網(wǎng)站聲明】本站部分內(nèi)容來源于互聯(lián)網(wǎng),旨在幫助大家更快的解決問題，如果有圖片或者內(nèi)容侵犯了您的權(quán)益，請聯(lián)系我們刪除處理，感謝您的支持！