0

网络核心应用程序和反应。我有调用我的中间层 api 和中间层 api 调用下游 api 的反应应用程序。我在 azure ad 中注册了三个应用程序。我已经做了所有的配置。在中间层 API 中,我正在验证从反应应用程序收到的令牌并尝试获取下游 API 的令牌,如下所示。

public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllers();
            services.AddTransient<DownStreamAPIService>();
            services.AddHttpClient();
            services.AddOptions();
            var azureAd = Configuration.GetSection("AzureAd").Get<AzureAd>();
            IdentityModelEventSource.ShowPII = true;

            services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddInMemoryTokenCaches();

            services.AddAuthentication(x =>
            {
                x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(options =>
            {
                options.SaveToken = true;
                options.RequireHttpsMetadata = true;
                options.Authority = $"{azureAd.Instance}/{azureAd.TenantId}/v2.0";
                options.Audience = $"{azureAd.ClientId}";

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuer = true,
                    ValidateIssuerSigningKey = false,
                    ValidateActor = false
                };
            });

            services.AddCors(options =>
            {
                options.AddPolicy(
                    "CorsPolicy",
                    builder =>
                    {
                        builder
                        .WithOrigins("https://localhost:3000")
                            .AllowAnyHeader()
                            .AllowAnyMethod()
                            .AllowCredentials();
                    });
            });
        }

下面是 DownStreamAPIService 类

public async Task<JArray> GetApiDataAsync()
        {
            var client = _clientFactory.CreateClient();

            // user_impersonation access_as_user access_as_application .default
            var scope = _configuration["DownStreamAPI:ScopeForAccessToken"];
            var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { scope }).ConfigureAwait(false);

            client.BaseAddress = new Uri(_configuration["DownStreamAPI:ApiBaseAddress"]);
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
            client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

            var response = await client.GetAsync("weatherforecast").ConfigureAwait(false);
            if (response.IsSuccessStatusCode)
            {
                var responseContent = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
                var data = JArray.Parse(responseContent);

                return data;
            }

            throw new ApplicationException($"Status code: {response.StatusCode}, Error: {response.ReasonPhrase}");
        }

下面是 appsettings.json 文件

 "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "mydomain.onmicrosoft.com",
    "TenantId": "c5fff990-0e0a-4bf6-9c04-79ab98e05931",
    "ClientId": "43dg8b3c-8743-4d6e-84b4-00fe04d93222"
  },
  "WebOriginUrl": "https://localhost:3000",
  "DownStreamAPI": {
    "ScopeForAccessToken": "api://723fac69-4038-4e16-92cc-3f57b7cc2381/access_downstream_api_as_user",
    "ApiBaseAddress": "https://localhost:44316"
  }

当我运行应用程序时,出现以下错误

方案已存在:承载

在我的中间层应用程序中,我正在验证令牌并尝试为下游 API 获取新令牌。我只是对中间层 api 中是否需要天气验证令牌感到困惑。我代表流量使用。如果此设计有任何问题,可以提供帮助。任何帮助,将不胜感激。谢谢

4

1 回答 1

1

当我们使用AddMicrosoftIdentityWebApiAuthentication配置 Azure AD 时,项目将使用Bearerscheme 进行身份验证。我们不需要再次配置它。更多详情,请参阅此处此处。所以请删除代码

services.AddAuthentication(x =>
            {
                x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(options =>
            {
                options.SaveToken = true;
                options.RequireHttpsMetadata = true;
                options.Authority = $"{azureAd.Instance}/{azureAd.TenantId}/v2.0";
                options.Audience = $"{azureAd.ClientId}";

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuer = true,
                    ValidateIssuerSigningKey = false,
                    ValidateActor = false
                };
            });

如果要验证令牌,可以使用以下代码

 services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
            {
                options.SaveToken = true;
                options.RequireHttpsMetadata = true;

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = true,
                    ValidAudiences = new string[] { "872ebcec-c24a-4399-835a-201cdaf7d68b", "api://872ebcec-c24a-4399-835a-201cdaf7d68b" },
                    ValidateLifetime = true,
                    ValidateIssuer = true,
                    ValidateIssuerSigningKey = false,
                    ValidateActor = false,
                    ValidIssuers = new string[] { "https://sts.windows.net/{tenantId}", "https://login.microsoftonline.com/{tenantId}/v2.0" }
                };
            });
于 2021-05-25T06:00:28.263 回答