首页 文章

是否正确使用带有AAD B2C的Owin.Security.ActiveDirectory库

提问于
浏览
1

我们通过"New"和"Old" portal在同一个AAD B2C 租户中注册了两个应用程序 .

使用“旧”应用程序凭据进行身份验证正常 . 使用“新”应用程序凭据 - 出现错误:

IDX10500:签名验证失败 . 无法解析SecurityKeyIdentifier:'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause ) '

使用在AAD B2C 租户中注册的应用程序使用Microsoft.Owin.Security.ActiveDirector库(以保护ASP.Net Web API)是正确的方法 .

附:我的问题是基于这个post .

azure azure-ad-b2c owin.security

1 回答

  • 0

    You should only create applications via the Azure AD B2C blade in the new Azure portal (portal.azure.com).

    不要使用经典Azure门户(manage.windowsazure.com)为Azure AD B2C创建应用程序 .

    If you want to secure a WebApp, you should use Owin's OpenIdConnectAuthentication . 本文档详细介绍了如何执行此操作:Sign-Up & Sign-In in a ASP.NET Web App

    If you want to secure a WebAPI, you should use Owin's OAuthBearerAuthentication . 本文档详细介绍了如何执行此操作:Build a .NET web API

    WebApp的示例配置:

    public void ConfigureAuth(IAppBuilder app)
{
    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Generate the metadata address using the tenant and policy information
            MetadataAddress = String.Format(AadInstance, Tenant, DefaultPolicy),

            // These are standard OpenID Connect parameters, with values pulled from web.config
            ClientId = ClientId,
            RedirectUri = RedirectUri,
            PostLogoutRedirectUri = RedirectUri,

            // Specify the callbacks for each type of notifications
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                AuthenticationFailed = OnAuthenticationFailed,
            },

            // Specify the claims to validate
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            },

            // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
            Scope = $"{OpenIdConnectScopes.OpenId} {YourScope1} {YourScope2}"
        }
    );
}

    Web API的示例配置:

    public void ConfigureAuth(IAppBuilder app)
    {
        TokenValidationParameters tvps = new TokenValidationParameters
        {
            // Accept only those tokens where the audience of the token is equal to the client ID of this app
            ValidAudience = ClientId,
            AuthenticationType = Startup.DefaultPolicy
        };

        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
        {
            // This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint
            AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(String.Format(AadInstance, Tenant, DefaultPolicy)))
        });
    }
    回复于

相关问题