如何使 OAuth2 在 .net 上通过多因素身份验证适用于 Azure Active Directory?

How to make OAuth2 work for Azure Active Directory with multi-factor authentication on .net?(如何使 OAuth2 在 .net 上通过多因素身份验证适用于 Azure Active Directory?)
本文介绍了如何使 OAuth2 在 .net 上通过多因素身份验证适用于 Azure Active Directory?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我们正在使用 OAuth 2.0Azure Active Directory 上的身份验证代码授权 以对我们的 Web 应用程序中的用户进行身份验证.

We are using OAuth 2.0 auth code grant on Azure Active Directory to authenticate the users in our web application.

这工作没有问题,但现在 AD 维护想要部署多因素身份验证.我们当前的 OAuth 实施与此不符.

This has worked without problems, but now the AD maintenance wants to deploy a multi-factor authentication. Our current OAuth implementation is not in line with that.

这是我们的代码:

public static ActionResult LogOn()
{
    string authorizationUrl = string.Format(
        "https://login.windows.net/{0}/oauth2/authorize?api-version=1.0&response_type=code&response_mode=query&client_id={1}&scope={2}&redirect_uri={3}",
        HttpUtility.UrlEncode(azureActiveDirectoryTenant),
        HttpUtility.UrlEncode(azureActiveDirectoryClientId),
        HttpUtility.UrlEncode("https://graph.microsoft.com/v1.0/me/"),
        HttpUtility.UrlEncode(azureActiveDirectoryCodeRedirectURL) // refers to Code() below
    );

    return new RedirectResult(authorizationUrl, false);
}

public async Task<ActionResult> Code(string code = null, string state = "", string error = null, string error_description = null)
{
    if (String.IsNullOrEmpty(error))
    {
        if (String.IsNullOrWhiteSpace(code))
        {
            return LogOn();
        }
        AuthenticationContext ctx = new AuthenticationContext("https://login.microsoftonline.com/" + azureActiveDirectoryTenant);
        ClientCredential clcred = new ClientCredential(azureActiveDirectoryClientId, azureActiveDirectoryClientKey);
        try
        {
            var ar = await ctx.AcquireTokenByAuthorizationCodeAsync(code, new Uri(azureActiveDirectoryCodeRedirectURL), clcred, "https://graph.windows.net");
            string email = ar.UserInfo.DisplayableId;

            using (WebClient client = new WebClient())
            {
                client.Headers.Add("Authorization", "Bearer " + ar.AccessToken);

                Stream data = client.OpenRead(new Uri("https://graph.windows.net/me?api-version=1.6"));
                StreamReader reader = new StreamReader(data);
                Dictionary<string, dynamic> values = JsonConvert.DeserializeObject<Dictionary<string, dynamic>>(reader.ReadToEnd());
                data.Close();
                reader.Close();

                ... act on values and redirect...
            }
        }
        catch (AdalServiceException ex)
        {
            // We come here!
            ViewBag.ErrorMessage = String.Format("Exception: ErrorCode: {0}, StatusCode: {1}, Message: {2}.", ex.ErrorCode, ex.StatusCode, ex.Message);
            ...
        }
    }
    return View("OAuthError");
}

还有错误信息:

ErrorCode: interaction_required, StatusCode: 400, Message: AADSTS50076: Due
to a configuration change made by your administrator, or because you moved to a
new location, you must use multi-factor authentication to access '00000002-0000-
c000-0000000000000'.

本文档 正在讨论 AAD 的条件访问并提到声明"作为解决方案.

This document is discussing conditional access on AAD and mentions 'claims' as a solution.

如何将声明合并到上面的代码中以使其工作?

How does one incorporate claims to the code above to make it work?

推荐答案

根据 Microsoft 文档:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60

Per Microsoft docs: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60

您可以将 amr_values=ngcmfa 添加到授权 URL 以强制执行 MFA.

You can add amr_values=ngcmfa to the authorization URL to force MFA.

您还可以添加 amr_values=mfa 以要求用户已通过 MFA,尽管它可能在不久前发生.

You can also add amr_values=mfa to require that the user has gone through MFA, though it may have happened a while ago.

您还应该检查令牌是否包含mfa";在 amr 索赔中.(因为用户可以删除参数)

You should also then check that the token does contain "mfa" in the amr claim. (since the user could just remove the parameter)

这篇关于如何使 OAuth2 在 .net 上通过多因素身份验证适用于 Azure Active Directory?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

相关文档推荐

Mocking generic methods in Moq without specifying T(在 Moq 中模拟泛型方法而不指定 T)
How Moles Isolation framework is implemented?(Moles Isolation 框架是如何实现的?)
Difference between Dependency Injection and Mocking Framework (Ninject vs RhinoMocks or Moq)(依赖注入和模拟框架之间的区别(Ninject vs RhinoMocks 或 Moq))
How to mock Controller.User using moq(如何使用 moq 模拟 Controller.User)
Using Moq to determine if a method is called(使用 Moq 确定是否调用了方法)
Windows Phone 8.1 Camera Initialisation - Access Denied Exception(Windows Phone 8.1 相机初始化 - 访问被拒绝异常)