关于[如何使用 EntraID 保护 API (https://stackoverflow.com/questions/78366047/how-to-secure-api-with-entraid),Rukmini 帮助设置 Azure 应用程序以保护本地 API 并将身份验证令牌传递给它。 但我缺少 API 端点上实际验证令牌并获取用户详细信息所需的部分。
此外,端点需要是匿名的,然后我们通过代码进行验证,或者我们可以用一些属性来装饰它,以使其只能使用适当的令牌进行访问?
您有任何示例代码可以说明其工作原理吗?
要验证令牌并获取用户的详细信息,请使用以下代码:
using Azure.Core;
using Azure.Identity;
using Microsoft.IdentityModel.Protocols;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
class Program
{
static async Task Main(string[] args)
{
var scopes = new[] { "api://ClientID/.default" };
var tenantId = "TenantID";
var clientId = "ClientID";
var options = new InteractiveBrowserCredentialOptions
{
TenantId = tenantId,
ClientId = clientId,
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
// MUST be http://localhost or http://localhost:PORT
RedirectUri = new Uri("http://localhost"),
};
var interactiveCredential = new InteractiveBrowserCredential(options);
var accessToken = await interactiveCredential.GetTokenAsync(new TokenRequestContext(scopes));
Console.WriteLine($"Access Token: {accessToken.Token}");
// Validate the token
await ValidateTokenAsync(accessToken.Token, scopes);
}
static async Task ValidateTokenAsync(string token, string[] scopes)
{
var authority = $"https://login.microsoftonline.com/TenantID/";
IConfigurationManager<OpenIdConnectConfiguration> configurationManager =
new ConfigurationManager<OpenIdConnectConfiguration>($"{authority}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None);
var validationParams = new TokenValidationParameters
{
ValidAudience = "api://ClientID", // Actual audience in the token
ValidIssuer = "https://sts.windows.net/TenantID/", // Actual issuer in the token
IssuerSigningKeys = openIdConfig.SigningKeys
};
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
try
{
SecurityToken validatedToken;
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(token, validationParams, out validatedToken);
Console.WriteLine("Token is valid.");
// Extract user details
var userId = claimsPrincipal.FindFirst(ClaimTypes.NameIdentifier)?.Value;
var userName = claimsPrincipal.FindFirst(ClaimTypes.Name)?.Value;
Console.WriteLine($"User ID: {userId}");
Console.WriteLine($"User Name: {userName}");
}
catch (SecurityTokenException ex)
{
Console.WriteLine($"Token validation failed: {ex.Message}");
}
}
}