问题描述
我已将 API 应用程序
部署到 Azure,但如果身份验证(使用 AAD)设置为 ON,我在创建 API 客户端时遇到问题.
I have deployed an API App
to Azure, but I am having problems creating API Client if Authentication (with AAD) is set to ON.
当我尝试生成服务客户端时(当身份验证关闭时),然后生成客户端代码(使用 Autorest 完成)并且代码正在工作,但是当我打开身份验证时(以及请求未通过身份验证时采取的操作是设置为 使用 Azure Active Directory 登录
),然后
When I try to generate service client (when Authentication is OFF), then client code is generated (it's done with Autorest) and code is working, but when I switch Authentication ON (and Action to take when request is not authenticated is set to Login with Azure Active Directory
), then
1) 服务调用返回401 Unauthorized
(没有重定向到AAD登录页面)
1) service call returned 401 Unauthorized
(without redirecting to AAD login page)
2) 然后我尝试再次生成服务客户端(从项目的上下文菜单 -> 添加 -> REST API 客户端 -> 然后在对话框中我选择选择 Azure 资产"并按确定并收到一条消息 无法下载 Microsoft Azure API 应用程序的元数据文件:...应用程序名称..."
(并且没有可用的其他信息")
2) Then I tried to generate service client once more (from Project's context menu -> Add -> REST API Client -> then in the dialog box I chose "Select Azure Asset" and pressed OK and got a message "Failed to download metadata file for Microsoft Azure API App: ...app name..."
(and "no additional information available")
我正在根据此 Azure 手册实施 AAD(使用快速设置):
I was implementing AAD according to this Azure manual (using express settings):
https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
也按照此视频工作,并且此视频中显示的所有内容都正常工作,除了 AAD 没有被演示......而且对我来说它不起作用......
Was working according to this video, too and everything what is shown in this video was working, except that AAD was not demonstrated... and for me it's not working...
https://azure.microsoft.com/en-us/documentation/videos/connect-2015-what-s-new-in-app-service-api-apps/
有什么建议吗?
编辑
1) 如果我在 Web 浏览器中输入请求 url(REST API 客户端使用),那么它会返回有效结果2) 我发现我正在使用没有凭据的 REST API(我认为在这种情况下应该显示 Azure AD 登录屏幕......但事实并非如此)
1) If I enter the request url (that REST API client uses) in web browser - then it returns valid results 2) I found out that I am using REST API without credentials (I thought Azure AD login screen should be presented in this case... but it isn't)
编辑 2
我取得了一些进展 - 进入了 AAD 登录屏幕,但在输入凭据后我得到 bearer token
,但是当我尝试查询服务时,我收到一条错误消息:
I got some progress - got to the AAD login screen, but after entering credentials I get the bearer token
, but when I try to query the service, I get an error message:
AADSTS65005:客户端应用程序已请求访问资源https....azurewebsites.net".此请求失败,因为客户端未在其 requiredResourceAccess 列表中指定此资源.跟踪 ID:4176e...相关 ID:1d612d...时间戳:2016-11-13 18:28:34Z
这些是我已经完成的步骤:
These are the steps I've done to get this far:
0) 将 Microsoft.IdentityModel.Clients.ActiveDirectory nuget 包添加到客户端项目
0) Added Microsoft.IdentityModel.Clients.ActiveDirectory nuget pack to client project
1) 在 Azure Active Directory 中注册我的客户端应用
1) registered my client app in Azure Active Directory
2) 从客户端应用程序调用 REST API 时,我正在添加 ServiceClientCredentials
2) when calling REST API from client application, I am adding ServiceClientCredentials
3) 在创建 ServiceClientCredentials 时,我提供了 4 个元素-authority = 这是来自 AAD 应用注册 -> Endpoints => Federation Metadata Document vērtība(没有起始部分 http://login.windows.net/
)
3) when creating ServiceClientCredentials I provide 4 elements
-authority = this is from AAD App registrations -> Endpoints => Federation Metadata Document vērtība (without the starting part http://login.windows.net/
)
-resource => 这是 REST API uri(=>作为请求令牌接收者的目标资源的标识符)
-resource => this is REST API uri (=>Identifier of the target resource that is the recipient of the requested token)
-clientId => 这是我在 AAD 中注册客户端应用程序后获得的应用程序 ID-redirect Uri => 因为我的客户端应用程序是本机应用程序,所以这只是任何有效的 url
-clientId => this is application id I get after I registered client app in AAD -redirect Uri => since my client app is a Native application, then this is just any valid url
如何在我的客户端应用程序中指定此资源?
客户端未在其 requiredResourceAccess 列表中指定此资源
推荐答案
我设法找到了有关如何启用对 Azure REST API 应用程序的 AAD 授权的解决方案.以防万一有人遇到同样的挑战,我希望这会有所帮助.
I managed to find a solution on how to enable AAD authorization to Azure REST API App. Just in case anyone has the same challenge, I hope this will be helpful.
这些是我执行的步骤:
1) 在应用服务中 -> 认证/授权
1) In App services -> Authentication/authorization
- 应用服务身份验证 => 开启
- 请求未通过身份验证时采取的措施 => 使用 AAD 登录
- 使用 Express 设置配置 AAD(您必须在此处创建 Azure为您的 API 应用程序的广告应用程序 - 即您的服务的应用程序注册")
2) 在 Azure Active Directory -> 应用注册
2) In Azure Active Directory -> App registrations
- 为您的客户端应用添加注册
- 编辑客户端应用程序的清单 - 在
requiredResourceAccess
部分中,您必须添加有关 REST API 应用程序的信息:resourceAppId
-> 在此处插入 REST API App idresourceAccess {id}
-> REST API 的 OauthPermission id 值(您可以在 REST API 的清单中获取它!)
- Add registration for your client app
- Edit Manifest of your client app - in the
requiredResourceAccess
section you must add information about REST API App:resourceAppId
-> insert REST API App id hereresourceAccess {id}
-> OauthPermission id value of REST API (you can get it in REST API's manifest!)
3) 在您的客户端应用程序中
3) In your client application
- 使用
Autorest
生成您的 REST 客户端(来自解决方案资源管理器:AddREST API 客户端
)或手动创建它 - 添加
Microsoft.IdentityModel.Clients.ActiveDirectory
nuget 包 使用类似下面的代码获取并使用令牌来访问您的 API:
- generate your REST client using
Autorest
(from solution explorer:AddREST API client
) or create it manually - add
Microsoft.IdentityModel.Clients.ActiveDirectory
nuget pack get and use token to access your API with code similar to this:
//request (..) var tokenCreds = getToken(); ServiceClientCredentials credentials = tokenCreds; using (var client = new YourAPI(credentials)) { ... } (..) //getting token private static TokenCredentials getToken() { //get this from Federation Metadata Document in //Azure Active Directory App registrations -> Endpoints var authority = "f1..."; //Identifier of the target resource that is the recipient of the requested token var resource = "https://yourapi.azurewebsites.net"; //client application id (see Azure Active Directory App registration //for your client app var clientId = "a71..."; //return url - not relevant for Native apps (just has to be valid url) var redirectUri = "https://just-some-valid-url.net"; AuthenticationContext authContext = new AuthenticationContext(string.Format ("https://login.windows.net/{0}", authority)); AuthenticationResult tokenAuthResult = authContext.AcquireTokenAsync(resource, clientId, new Uri(redirectUri), new PlatformParameters(PromptBehavior.Auto)).Result; return new TokenCredentials(tokenAuthResult.AccessToken); }
这篇关于如何使用 Azure Active Directory 授权的 Azure REST API 应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!
本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!