用户在OpenId Connect(AAD)之后进行身份验证,但无法找到访问令牌

问题描述 投票:0回答:1

我试图在用户从OpenId Connect进行身份验证后从AAD中找到访问令牌。它是与AAD OpenId Connect集成的Web应用程序。我需要获取访问令牌来调用另一个使用相同AAD的API。这是我尝试过的:

  1. 克隆this示例代码。
  2. 在Startup.cs文件中,添加以下代码块: public void ConfigureServices(IServiceCollection services) { services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor(); services.AddAuthentication(sharedOptions => { sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddAzureAd(options => Configuration.Bind("AzureAd", options)) .AddOpenIdConnect("oidc", options => { options.Authority = "http://localhost:5000"; options.ClientId = "<<client-id>>"; options.SignInScheme = "cookie"; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.RequireHttpsMetadata = false; }) .AddCookie(); services.AddMvc();}
  3. HomeController类中,我添加了一个名为httpContextAccessor的私有变量,并在构造函数中设置它。 private IHttpContextAccessor _httpContextAccessor; public HomeController(IHttpContextAccessor httpContextAccessor) { _httpContextAccessor = httpContextAccessor; }
  4. HomeController类中,我添加了一些代码来访问访问令牌。 public IActionResult Index() { if (User.Identity.IsAuthenticated) { var attempt1 = Request.Headers["Authorization"]; var attempt2 = HttpContext.GetTokenAsync("access_token"); var attempt3 = _httpContextAccessor.HttpContext.GetTokenAsync("access_token"); var attempt4 = _httpContextAccessor.HttpContext.Request.Headers["Authorziation"]; } return View(); }

但是所有这些都返回空或null。我错过了什么吗?

我看过以下帖子以供参考:How to refresh access token How to get access token from HttpContext in .Net core 2.0

authentication asp.net-core azure-active-directory access-token openid-connect
1个回答
1
投票

您需要在OpenID Connect配置中将SaveTokens设置为true:

  1. 克隆代码示例
  2. 保持Startup.cs,您不需要添加.AddOpenIdConnect部分,AddAzureAd扩展方法将有助于将Azure Active Directory身份验证添加到您的应用程序。
  3. 修改AzureAdAuthenticationBuilderExtensions.cs文件夹中的Extensionspublic void Configure(string name, OpenIdConnectOptions options) { options.ClientId = _azureOptions.ClientId; options.Authority = $"{_azureOptions.Instance}{_azureOptions.TenantId}"; options.UseTokenLifetime = true; options.CallbackPath = _azureOptions.CallbackPath; options.RequireHttpsMetadata = false; options.SaveTokens = true; // set to true }
  4. 然后你可以从httpContextAccessor获取ID令牌: var idToken = _httpContextAccessor.HttpContext.GetTokenAsync("id_token");

但访问令牌仍为空。该示例演示如何使用OpenID Connect ASP.NET Core中间件从单个Azure AD租户登录用户,这意味着您可以获取作为OpenID Connect流的一部分发送到客户端应用程序的ID Token并使用由客户端来验证用户。请参阅文件:ID tokens

虽然Access tokens使客户能够安全地调用受Azure保护的API。请参阅文件:Azure Active Directory access tokens

如果要获取访问令牌以访问受Azure AD保护的资源,则应使用ADAL(Azure AD V1.0端点)获取令牌,请参阅代码示例(尤其是use OnAuthorizationCodeReceived to acquire access token):

https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore

如果您使用的是Azure AD V2.0端点,请使用MSAL

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.