我有一个ASP.NET MVC Web应用程序在Azure App Service中作为Web应用程序运行.此Web应用程序通过Controller从HttpClient调用Azure函数.在Web应用程序中使用Azure Active Directory配置身份验证/授权.调用Azure函数时,我还需要对用户进行身份验证,以便我可以访问用户的Claims. 我还尝试在Azure函数本身中配置身份验证,但是每当我从Web应用程序中调用该函数时,都会导致未经授权的响应". 有没有办法使Web应用程序和Azure功能都使用相同的Active Directory身份验证.这样,当用户通过Web应用程序进行身份验证时,他不需要在Azure功能中再次进行身份验证,并且所有用户声明都可以在该功能本身中使用?
I have an ASP.NET MVC Web Application running as a web app in Azure App Service. This web app calls an Azure Function via HttpClient from a Controller. Authentication/Authorization is configured in the web app with Azure Active Directory. I need the user to also be authenticated when a call to the Azure Function is made so that I can access the user Claims. I tried to also configure Authentication in the Azure Function itself but this resulted in an "Unauthorized response" whenever I called the function from my web app. Is there a way to make both the web app and the Azure function use the same Active Directory Authentication. So that when a user is authenticated to the web app, he does not need to authenticate again in the Azure function and all the User Claims would be available in the function itself?
推荐答案我可以想到三种可行的方法.
I can think of three different approaches that would work.
使用不记名令牌.
创建两个单独的应用程序注册,一个用于Web应用程序,一个用于功能应用程序.为相应的应用程序设置身份验证/授权"功能,同时将两者都配置为要求AAD访问.授予Web应用程序的AAD应用程序注册权限,以访问功能应用程序的AAD应用程序注册.
Create two separate application registrations, one for the web application and one for the function application. Setup the Authentication/Authorization feature for the respective applications, with both configured to require AAD access. Give the web application's AAD app registration permission to access the function application's AAD app registration.
为确保Web应用程序的访问令牌是可用于联系功能应用程序的JWT,您需要向Web应用程序添加其他登录参数.为此,请按照此处的说明,而是将additionalLoginParams设置为resource=<your-function-app-registration-client-id>.
To make sure that the access token of your web application is a JWT that can be used to contact your function application, you need to add additional login parameters to your web application. To do this, follow the instructions here, but instead set additionalLoginParams to resource=<your-function-app-registration-client-id>.
当用户向Web应用程序发出经过身份验证的请求时,应填充一个名为X-MS-TOKEN-AAD-ACCESS-TOKEN的标头,该标头应该是具有您的Function应用程序的应用程序注册受众的访问令牌.然后可以将其用作功能应用程序API调用的承载令牌,该令牌应满足功能应用程序的身份验证/授权要求.
When a user makes an authenticated request to the web app, a header should be populated called X-MS-TOKEN-AAD-ACCESS-TOKEN which should be an access token with an audience of your Function application's app registration. This can then be used as a bearer token to the Function application API calls, which should satisfy the authentication/authorization requirements of the function application.
使用代表流量
创建两个单独的应用程序注册,一个用于Web应用程序,一个用于功能应用程序.为相应的应用程序设置身份验证/授权"功能,同时将两者都配置为要求AAD访问.授予Web应用程序的AAD应用程序注册权限,以访问功能应用程序的AAD应用程序注册.
Create two separate application registrations, one for the web application and one for the function application. Setup the Authentication/Authorization feature for the respective applications, with both configured to require AAD access. Give the web application's AAD app registration permission to access the function application's AAD app registration.
然后,按照代表流量,以便Web应用程序可以获取功能应用程序的经过身份验证的用户的访问令牌.有几个库可以帮助实现这一流程.请参阅 ADAL 应用注册是AAD V1应用,或 MSAL 如果您的应用程序注册是AAD V2应用程序.
Then, follow the on-behalf-of flow so that the web application can get an access token for an authenticated user user for the function application. There are several libraries that help with this flow. See ADAL if your app registrations are AAD V1 apps, or MSAL if your app registrations are AAD V2 apps.
使用客户端定向流(X-ZUMO-AUTH)
创建两个单独的应用程序注册,一个用于Web应用程序,一个用于功能应用程序.为相应的应用程序设置身份验证/授权"功能,同时将两者都配置为要求AAD访问.授予Web应用程序的AAD应用程序注册权限,以访问功能应用程序的AAD应用程序注册.
Create two separate application registrations, one for the web application and one for the function application. Setup the Authentication/Authorization feature for the respective applications, with both configured to require AAD access. Give the web application's AAD app registration permission to access the function application's AAD app registration.
要确保可以使用Web应用程序的访问令牌来对功能应用程序进行身份验证,您需要向Web应用程序中添加其他登录参数.为此,请按照此处的说明,而是将additionalLoginParams设置为resource=<your-function-app-registration-client-id>.
To make sure that the access token of your web application can be used to authenticate against your function application, you need to add additional login parameters to your web application. To do this, follow the instructions here, but instead set additionalLoginParams to resource=<your-function-app-registration-client-id>.
当用户向Web应用程序发出经过身份验证的请求时,应填充一个名为X-MS-TOKEN-AAD-ACCESS-TOKEN的标头,该标头应该是具有您的Function应用程序的应用程序注册对象的访问令牌,以及标头.使用有效负载向.azurewebsites/.auth/login/aad发出POST请求 {"id_token": <id-token>, "access_token": <access-token>}.这将返回一个会话令牌,您可以将其作为X-ZUMO-AUTH标头附加以验证请求.
When a user makes an authenticated request to the web app, a header should be populated called X-MS-TOKEN-AAD-ACCESS-TOKEN which should be an access token with an audience of your Function application's app registration, along with an id token in the header X-MS-TOKEN-AAD-ID-TOKEN. Make a POST request to .azurewebsites/.auth/login/aad with the payload {"id_token": <id-token>, "access_token": <access-token>}. This will return a session token, that you can attach as an X-ZUMO-AUTH header to authenticate requests.
注意:此选项中的声明将是身份验证令牌的声明,而不是像前两个选项中那样的身份提供者的声明.要获得与其他选项相同的声明,请将应用程序设置WEBSITE_AUTH_ZUMO_USE_TOKEN_STORE_CLAIMS设置为true.
NOTE: The claims in this option will be the claims of the authentication token, which are not the claims of the identity provider like in the first two options. To get the same claims as the other options, set the application setting WEBSITE_AUTH_ZUMO_USE_TOKEN_STORE_CLAIMS to true.
更多推荐
在Web应用程序中对用户进行身份验证时,对用户进行身份验证以使用Azure功能
发布评论