問題描述

我已將 API 應用程序 部署到 Azure，但如果身份驗證(使用 AAD)設置為 ON，我在創建 API 客戶端時遇到問題.

I have deployed an API App to Azure, but I am having problems creating API Client if Authentication (with AAD) is set to ON.

當我嘗試生成服務客戶端時(當身份驗證關閉時)，然后生成客戶端代碼(使用 Autorest 完成)并且代碼正在工作，但是當我打開身份驗證時(以及請求未通過身份驗證時采取的操作是設置為 使用 Azure Active Directory 登錄)，然后

When I try to generate service client (when Authentication is OFF), then client code is generated (it's done with Autorest) and code is working, but when I switch Authentication ON (and Action to take when request is not authenticated is set to Login with Azure Active Directory), then

1) 服務調用返回401 Unauthorized(沒有重定向到AAD登錄頁面)

1) service call returned 401 Unauthorized (without redirecting to AAD login page)

2) 然后我嘗試再次生成服務客戶端(從項目的上下文菜單 -> 添加 -> REST API 客戶端 -> 然后在對話框中我選擇選擇 Azure 資產"并按確定并收到一條消息 無法下載 Microsoft Azure API 應用程序的元數據文件:...應用程序名稱..."(并且沒有可用的其他信息")

2) Then I tried to generate service client once more (from Project's context menu -> Add -> REST API Client -> then in the dialog box I chose "Select Azure Asset" and pressed OK and got a message "Failed to download metadata file for Microsoft Azure API App: ...app name..." (and "no additional information available")

我正在根據此 Azure 手冊實施 AAD(使用快速設置):

I was implementing AAD according to this Azure manual (using express settings):

https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/

也按照此視頻工作，并且此視頻中顯示的所有內容都正常工作，除了 AAD 沒有被演示......而且對我來說它不起作用......

Was working according to this video, too and everything what is shown in this video was working, except that AAD was not demonstrated... and for me it's not working...

https://azure.microsoft.com/en-us/documentation/videos/connect-2015-what-s-new-in-app-service-api-apps/

有什么建議嗎?

編輯

1) 如果我在 Web 瀏覽器中輸入請求 url(REST API 客戶端使用)，那么它會返回有效結果2) 我發現我正在使用沒有憑據的 REST API(我認為在這種情況下應該顯示 Azure AD 登錄屏幕......但事實并非如此)

1) If I enter the request url (that REST API client uses) in web browser - then it returns valid results 2) I found out that I am using REST API without credentials (I thought Azure AD login screen should be presented in this case... but it isn't)

編輯 2

我取得了一些進展 - 進入了 AAD 登錄屏幕，但在輸入憑據后我得到 bearer token，但是當我嘗試查詢服務時，我收到一條錯誤消息:

I got some progress - got to the AAD login screen, but after entering credentials I get the bearer token, but when I try to query the service, I get an error message:

AADSTS65005:客戶端應用程序已請求訪問資源https....azurewebsites.net".此請求失敗，因為客戶端未在其 requiredResourceAccess 列表中指定此資源.跟蹤 ID:4176e...相關 ID:1d612d...時間戳:2016-11-13 18:28:34Z

這些是我已經完成的步驟:

These are the steps I've done to get this far:

0) 將 Microsoft.IdentityModel.Clients.ActiveDirectory nuget 包添加到客戶端項目

0) Added Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack to client project

1) 在 Azure Active Directory 中注冊我的客戶端應用

1) registered my client app in Azure Active Directory

2) 從客戶端應用程序調用 REST API 時，我正在添加 ServiceClientCredentials

2) when calling REST API from client application, I am adding ServiceClientCredentials

3) 在創建 ServiceClientCredentials 時，我提供了 4 個元素-authority = 這是來自 AAD 應用注冊 -> Endpoints => Federation Metadata Document vērtība(沒有起始部分 http://login.windows.net/)

3) when creating ServiceClientCredentials I provide 4 elements -authority = this is from AAD App registrations -> Endpoints => Federation Metadata Document vērtība (without the starting part http://login.windows.net/)

-resource => 這是 REST API uri(=>作為請求令牌接收者的目標資源的標識符)

-resource => this is REST API uri (=>Identifier of the target resource that is the recipient of the requested token)

-clientId => 這是我在 AAD 中注冊客戶端應用程序后獲得的應用程序 ID-redirect Uri => 因為我的客戶端應用程序是本機應用程序，所以這只是任何有效的 url

-clientId => this is application id I get after I registered client app in AAD -redirect Uri => since my client app is a Native application, then this is just any valid url

如何在我的客戶端應用程序中指定此資源?

客戶端未在其 requiredResourceAccess 列表中指定此資源

推薦答案

我設法找到了有關如何啟用對 Azure REST API 應用程序的 AAD 授權的解決方案.以防萬一有人遇到同樣的挑戰，我希望這會有所幫助.

I managed to find a solution on how to enable AAD authorization to Azure REST API App. Just in case anyone has the same challenge, I hope this will be helpful.

這些是我執行的步驟:

1) 在應用服務中 -> 認證/授權

1) In App services -> Authentication/authorization

• 應用服務身份驗證 => 開啟
• 請求未通過身份驗證時采取的措施 => 使用 AAD 登錄
• 使用 Express 設置配置 AAD(您必須在此處創建 Azure為您的 API 應用程序的廣告應用程序 - 即您的服務的應用程序注冊")

2) 在 Azure Active Directory -> 應用注冊

2) In Azure Active Directory -> App registrations

• 為您的客戶端應用添加注冊
• 編輯客戶端應用程序的清單 - 在 requiredResourceAccess 部分中，您必須添加有關 REST API 應用程序的信息:
  • resourceAppId -> 在此處插入 REST API App id
  • resourceAccess {id} -> REST API 的 OauthPermission id 值(您可以在 REST API 的清單中獲取它！)
  • Add registration for your client app
  • Edit Manifest of your client app - in the requiredResourceAccess section you must add information about REST API App:
    • resourceAppId -> insert REST API App id here
    • resourceAccess {id} -> OauthPermission id value of REST API (you can get it in REST API's manifest!)

    3) 在您的客戶端應用程序中

    3) In your client application

    • 使用 Autorest 生成您的 REST 客戶端(來自解決方案資源管理器:AddREST API 客戶端)或手動創建它
    • 添加 Microsoft.IdentityModel.Clients.ActiveDirectory nuget 包

    • 使用類似下面的代碼獲取并使用令牌來訪問您的 API:

    • generate your REST client using Autorest (from solution explorer: AddREST API client) or create it manually
    • add Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack

    • get and use token to access your API with code similar to this:

        //request
        (..)
        var tokenCreds = getToken();
        ServiceClientCredentials credentials = tokenCreds;
    
        using (var client = new YourAPI(credentials)) {
        ...
        }
        (..)
    
        //getting token
    
    private static TokenCredentials getToken()
    {
        //get this from Federation Metadata Document in 
        //Azure Active Directory App registrations -> Endpoints
        var authority = "f1...";
    
        //Identifier of the target resource that is the recipient of the requested token
        var resource = "https://yourapi.azurewebsites.net";
    
        //client application id (see Azure Active Directory App registration
        //for your client app
        var clientId = "a71...";
    
        //return url - not relevant for Native apps (just has to be valid url)
        var redirectUri = "https://just-some-valid-url.net";
    
        AuthenticationContext authContext =
        new AuthenticationContext(string.Format
        ("https://login.windows.net/{0}",
    authority));
    
        AuthenticationResult tokenAuthResult =
        authContext.AcquireTokenAsync(resource,
        clientId,
        new Uri(redirectUri),
        new PlatformParameters(PromptBehavior.Auto)).Result;
    
        return new TokenCredentials(tokenAuthResult.AccessToken);
    }
    

  這篇關于如何使用 Azure Active Directory 授權的 Azure REST API 應用程序的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！

  【網站聲明】本站部分內容來源于互聯網,旨在幫助大家更快的解決問題，如果有圖片或者內容侵犯了您的權益，請聯系我們刪除處理，感謝您的支持！