我们在ASP.Net Core 2.2中编写了一个web api,我们想要针对AAD或B2C对用户进行身份验证。这意味着我们有一些端点只能由AAD用户访问,其他端点由B2C用户访问,有些则由两者共享。
在Startup.cs中我们有
services.AddAuthentication(AzureADB2CDefaults.BearerAuthenticationScheme)
.AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
单独这些工作,但当我们尝试同时添加两个配置时,都不起作用。
我也试过了
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options))
.AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));
但似乎都不起作用。我们怎么做到这一点?
您不需要像上面那样对两者进行配置。
您只需在代码中配置B2C,然后您需要在Azure B2C中使用自定义策略。您需要将Azure AD定义为Azure B2C可以通过端点与之通信的声明提供程序。这将允许用户使用Azure AD或社交帐户登录。
查找详细的参考here at Microsoft Docs。
我也面临类似的问题,并通过自定义政策实现。以下是身份验证代码。
public static void AddAuthorization(this IServiceCollection services, IConfigurationRoot configuration)
{
services.AddAuthentication()
.AddJwtBearer("AAD", options =>
{
options.MetadataAddress = configuration["AzureAd:Instance"] + configuration["AzureAd:TenantId"] +
"/v2.0/.well-known/openid-configuration";
options.Authority = configuration["AzureAd:Instance"] + configuration["AzureAd:TenantId"];
options.Audience = configuration["AzureAd:ClientId"];
options.TokenValidationParameters =
new TokenValidationParameters
{
ValidIssuer = $"https://sts.windows.net/{configuration["AzureAd:TenantId"]}/",
};
options.Events = new JwtBearerEvents
{
OnMessageReceived = context => Task.CompletedTask,
OnChallenge = context => Task.CompletedTask,
OnAuthenticationFailed = (context) =>
{
Console.WriteLine("OnAuthenticationFailed: " + context.Exception.Message);
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
Console.WriteLine("Validated: " + context.SecurityToken);
return Task.CompletedTask;
}
};
})
.AddJwtBearer("B2C", options =>
{
options.Authority = configuration["AzureAdB2C:Instance"] + configuration["AzureAdB2C:Domain"] + "/" + configuration["AzureAdB2C:SignUpSignInPolicyId"] + "/v2.0";
options.Audience = configuration["AzureAdB2C:ClientId"];
options.Events = new JwtBearerEvents
{
OnMessageReceived = context => Task.CompletedTask,
OnChallenge = context => Task.CompletedTask,
OnAuthenticationFailed = (context) =>
{
Console.WriteLine("OnAuthenticationFailed: " + context.Exception.Message);
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
Console.WriteLine("Validated: " + context.SecurityToken);
return Task.CompletedTask;
}
};
});
services
.AddAuthorization(options =>
{
options.AddPolicy("AADUsers", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("AAD")
.Build());
options.AddPolicy("B2CUsers", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("B2C")
.Build());
});
}
在startup.cs中,在ConfigureServices中添加以下代码
services.AddAuthorization(Configuration);
现在在您的控制器中,您可以基于AD或B2CAD进行这样的装饰
[Authorize(Policy = "B2CUsers")] // For B2C authentication
[Authorize(Policy = "AADUsers")] // For AAD authentication