我已经使用WebForms从VS-2019成功发布了Azure App Service。我已经成功保护了它的安全性,以便用户必须使用与App Service相同的域中的Azure AAD帐户登录。我已经成功创建了一个Azure SQL数据库。通过将我创建的Azure AAD帐户用户之一硬编码到连接字符串中,我已经成功地将用户从AAD域添加到数据库并从Azure App Service连接到数据库。
现在,我想使用App Service登录名中经过身份验证的AAD用户来连接到Azure SQL数据库。到目前为止,我尝试过的一切都失败了。
我对Azure很陌生。我的大部分经验是在内部公司域中使用SQL Server / Visual Studio,没有任何Cloud服务。
有人有什么建议吗?
这是我的验证码。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Configuration;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.Owin.Extensions;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
using System.Net.Http;
namespace Church
{
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = EnsureTrailingSlash(ConfigurationManager.AppSettings["ida:AADInstance"]);
private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
string authority = aadInstance + tenantId;
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = (context) =>
{
return System.Threading.Tasks.Task.FromResult(0);
},
SecurityTokenValidated = (context) =>
{
var claims = context.AuthenticationTicket.Identity.Claims;
var groups = from c in claims
where c.Type == "groups"
select c;
foreach (var group in groups)
{
context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, group.Value));
}
return Task.FromResult(0);
}
}
}
);
// This makes any middleware defined above this line run before the Authorization rule is applied in web.config
app.UseStageMarker(PipelineStage.Authenticate);
}
private static string EnsureTrailingSlash(string value)
{
if (value == null)
{
value = string.Empty;
}
if (!value.EndsWith("/", StringComparison.Ordinal))
{
return value + "/";
}
return value;
}
}
}
enter code here
此任务a有点复杂。为了实现您想要的目标,您必须配置EasyAuth(应用程序服务身份验证/授权服务)以获取Azure SQL DB的访问令牌。您可以通过Azure应用服务身份验证here了解有关访问令牌的更多信息。注意Azure Active Directory配置的部分。系统将指示您转到https://resources.azure.com/,找到您的应用服务并更新以下属性:
“ additionalLoginParams”:[“ response_type = code id_token”,“ resource =”]
对于资源参数,应使用https://database.windows.net/,它是Azure SQL DB的标识符。这将允许应用程序服务身份验证服务(EasyAuth)代表用户代表Azure SQL DB获得访问令牌。然后,您将能够从HTTP HEADER X-MS-TOKEN-AAD-ACCESS-TOKEN(也在same documentation page中进行说明)获取此访问令牌。
一旦您设法获取Azure SQL DB的访问令牌,则应该对Azure SQL DB使用令牌身份验证,而不是基于用户/密码。文档的token authentication部分为well hidden here,本示例对此进行了演示:
string ConnectionString =@"Data Source=n9lxnyuzhv.database.windows.net; Initial Catalog=testdb;"
SqlConnection conn = new SqlConnection(ConnectionString);
conn.AccessToken = "Your JWT token that you took from HTTP HEADER X-MS-TOKEN-AAD-ACESS-TOKEN"
conn.Open();