我们有一个Web应用程序,需要对多个Web API进行身份验证访问。我们正在使用Azure AD B2C进行身份验证。
我了解您不能在一个呼叫中同时包含两个资源的范围。
我了解MSAL的目的是使用从第一个资源令牌缓存的刷新令牌,为第二个资源请求访问令牌。
IConfidentialClientApplication cca = MsalAppBuilder.BuildConfidentialClientApplication();
var accounts = await cca.GetAccountsAsync();
AuthenticationResult result = await cca.AcquireTokenSilent(scopeForApi2, accounts.FirstOrDefault())
进行此调用时,调用不会失败,但是访问令牌为空。
在Azure B2C中,已注册Web应用程序和Webapi,并且已从Webapis授予Web应用程序对所有范围的权限和管理员同意。
使用Azure AD B2C和/或MSAL.NET是否支持?
我们成功获取了第一个资源api的第一个访问令牌:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = Globals.ClientId,
RedirectUri = Globals.RedirectUri,
PostLogoutRedirectUri = Globals.RedirectUri,
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed,
},
// Specify the claim type that specifies the Name property.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
ValidateIssuer = false
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {Globals.ReadTasksScopeApi1} {Globals.WriteTasksScopeApi1}"
}
);
我们使用授权码获得第一个访问令牌-我们收到一个访问令牌并刷新令牌
IConfidentialClientApplication confidentialClient
= MsalAppBuilder.BuildConfidentialClientApplication(
new ClaimsPrincipal(notification.AuthenticationTicket.Identity));
// Upon successful sign in, get & cache a token using MSAL
AuthenticationResult result = await confidentialClient
.AcquireTokenByAuthorizationCode(Globals.Scopes_Api1, notification.Code)
.ExecuteAsync();
我也尝试添加“ resource”查询参数,但似乎没有任何区别:
var scope = new string[] { Globals.ReadTasksScopeApi2 };
IConfidentialClientApplication cca = MsalAppBuilder.BuildConfidentialClientApplication();
var accounts = await cca.GetAccountsAsync();
AuthenticationResult result = await cca.AcquireTokenSilent(scope, accounts.FirstOrDefault())
.WithExtraQueryParameters(new Dictionary<string, string>
{
// { "resource", "https://myb2c.onmicrosoft.com/api2" }, // tried appid and guid
{ "resource", "0a6ab6b5-1b88-49fe-a6cf-19f1878d3508" }
})
.ExecuteAsync();
为什么使用Azure AD B2C在第二个资源上第二次调用AcquireTokenSilent时访问令牌为空?
2/19/2020
我已与Azure支持工程师确认,Azure AD B2C不支持这种情况。