問題描述

我在啟用了 Azure AD 身份驗(yàn)證的 Azure 網(wǎng)站上運(yùn)行了一個標(biāo)準(zhǔn) Web API，當(dāng)在瀏覽器中瀏覽 API 時，我能夠通過瀏覽器登錄并獲得對 API 的訪問權(quán)限.

I have a standard Web API running on an Azure website with Azure AD authentication enabled, when browsing to the API in a browser I am able to login via the browser and gain access to the API.

然而，WPF 桌面應(yīng)用程序在提交請求時收到未經(jīng)授權(quán)響應(yīng):

The WPF desktop application however is receiving an Unauthorized response when submitting the request:

var authContext = new AuthenticationContext(authority, new FileCache());
var accessToken = await authContext.AcquireTokenAsync(apiResourceid, clientId, redirectUri,
                    new PlatformParameters(PromptBehavior.Auto));
// accessToken is valid

var apiUrl = "https://example.azurewebsites.net/api/list";
var request = new HttpRequestMessage(HttpMethod.Get, apiUrl);
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken.AccessToken);
var response = await httpClient.SendAsync(request);

認(rèn)證成功，調(diào)試時可以看到用戶信息.

The authentication is successfull and I can see the User info when debugging.

我無權(quán)訪問 Azure 帳戶，但我確信 Service AD 應(yīng)用程序配置正確，允許訪問客戶端 AD 應(yīng)用程序，就像在備用帳戶(未正確配置)上測試時一樣，AuthenticationContext.AcquireTokenAsync 方法失敗.

I do not have access to the Azure account but am confident the Service AD application is configured correctly to allow access to the Client AD application as when testing on an alternate account (not configured correctly) the AuthenticationContext.AcquireTokenAsync method was failing.

我確實(shí)注意到 AuthenticationResult.ExpiresOn 總是在過去，但看不到延長它的方法，這應(yīng)該是未來的日期嗎? - (時間是當(dāng)然UTC)

I did notice that the AuthenticationResult.ExpiresOn is always in the past but see no way of extending it, should this be a future date? - (Time is of course UTC)

請求:

GET https://example.azure
websites.net/api/categorisation HTTP/1.1
Authorization: Bearer eyJ0eXAiO...
Host: example.azurewebsites.net

回復(fù):

HTTP/1.1 401 Unauthorized
Content-Length: 58
Content-Type: text/html
Server: Microsoft-IIS/8.0
WWW-Authenticate: Bearer realm="example.azurewebsites.net"
X-Powered-By: ASP.NET
Set-Cookie: ARRAffinity=e35f2977dba55e6708887e762940f75c2a0fcb0a9df4e1cbe0d3f10a614c59b8;Path=/;Domain=example.azurewebsites.net
Date: Fri, 08 Jul 2016 07:51:13 GMT

You do not have permission to view this directory or page.

更新:

我在我有權(quán)訪問的 Azure 帳戶中重新創(chuàng)建了環(huán)境，但仍然收到未經(jīng)授權(quán)的響應(yīng)(在瀏覽器中可以正常工作).

I have recreated the environment in an Azure account I have access to and still receive an Unauthorised response (works fine in a browser).

推薦答案

問題似乎與 Azure 網(wǎng)站中的身份驗(yàn)證/授權(quán)"選項(xiàng)有關(guān)，啟用后，Web Api 將不接受使用身份驗(yàn)證標(biāo)頭的請求.禁用該選項(xiàng)并將 Owin 庫與 Azure AD 一起使用提供了所需的解決方案.

The issue appears to be with the "Authentication / Authorization" option in Azure Websites, when enabled the Web Api will not accept requests using the Authentication header. Disabling the option and using the Owin library alongside Azure AD has provided the solution required.

這篇關(guān)于Azure AD API 請求 401 未經(jīng)授權(quán)的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！