如何正确配置 ASP.NET Core 5 Swagger 以使用 Azure A/D 授权代码身份验证?

本文介绍了如何正确配置 ASP.NET Core 5 Swagger 以使用 Azure A/D 授权代码身份验证?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在将我的 ASP.NET Core 5 Web API 安全性从隐式升级到授权代码.身份验证是使用 Azure A/D 完成的，我还需要允许使用 Swagger 文档.

我已经设法让它工作了，但是 client_secret 在我的情况下没用，我想知道我是否做错了什么.我的配置如下:

Azure A/D

重定向 URI:https://localhost:44444/swagger/oauth2-redirect.html
API 权限:Microsoft Graph + 自定义角色 (access_as_user)
令牌:未选中访问令牌和 ID 令牌

appsettings.json

AzureAd":{实例":https://login.microsoftonline.com"，ClientId":xxxxxxxx-xxxxxxxxx"，租户 ID":xxxxxxxx-xxxxxxxxx"},

Startup.cs

services.AddMicrosoftIdentityWebApiAuthentication(Configuration);私有静态无效 AddSwagger(IServiceCollection 服务，AzureAdAuthOptions auth){services.AddSwaggerGen(c =>{c.SwaggerDoc("v1", new OpenApiInfo { Title = "Foo API", Version = "v1", });AddSwaggerDocs_IncludeXmlComments(c);c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme(){类型 = SecuritySchemeType.OAuth2，流 = 新 OpenApiOAuthFlows(){AuthorizationCode = new OpenApiOAuthFlow(){AuthorizationUrl = new Uri($"{auth.Instance}/{auth.TenantId}/oauth2/v2.0/authorize"),TokenUrl = new Uri($"{auth.Instance}/{auth.TenantId}/oauth2/v2.0/token"),Scopes = { { $"api://{auth.ClientId}/access_as_user", "以用户身份访问";} }}}});c.AddSecurityRequirement(新的OpenApiSecurityRequirement{{新的 OpenApiSecurityScheme{参考 = 新的 OpenApiReference{Type = ReferenceType.SecurityScheme,Id = oauth2"}},新字符串[] { }}});});}

大摇大摆

oauth2(OAuth2，authorizationCode)
应用:Foo - Swagger
授权 URL:
此外，请确保在创建应用程序时选择 Web.
I am upgrading my ASP.NET Core 5 Web API security from implicit to authorization code. The authentication is done using Azure A/D and I also need to allow Swagger docs to be used.
I have managed to make it work, but client_secret is useless in my case and I am wondering if I am doing something wrong. My configuration is as follows:
Azure A/D
- Redirect URIs: https://localhost:44444/swagger/oauth2-redirect.html
- API permissions: Microsoft Graph + custom role (access_as_user)
- Tokens: Access tokens and ID tokens are unchecked
appsettings.json
```
"AzureAd": {
    "Instance": "https://login.microsoftonline.com",
    "ClientId": "xxxxxxxx-xxxxxxxxx",
    "TenantId": "xxxxxxxx-xxxxxxxxx"
},
```
Startup.cs
```
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);

private static void AddSwagger(IServiceCollection services, AzureAdAuthOptions auth)
{
    services.AddSwaggerGen(c =>
    {
        c.SwaggerDoc("v1", new OpenApiInfo { Title = "Foo API", Version = "v1", });
        AddSwaggerDocs_IncludeXmlComments(c);

        c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme()
        {
            Type = SecuritySchemeType.OAuth2,
            Flows = new OpenApiOAuthFlows()
            {
                AuthorizationCode = new OpenApiOAuthFlow()
                {
                    AuthorizationUrl = new Uri($"{auth.Instance}/{auth.TenantId}/oauth2/v2.0/authorize"),
                    TokenUrl = new Uri($"{auth.Instance}/{auth.TenantId}/oauth2/v2.0/token"),
                    Scopes = { { $"api://{auth.ClientId}/access_as_user", "Access as user" } }
                }
            }
        });

        c.AddSecurityRequirement(new OpenApiSecurityRequirement
        {
            {
                new OpenApiSecurityScheme
                {
                    Reference = new OpenApiReference
                    {
                        Type = ReferenceType.SecurityScheme,
                        Id = "oauth2"
                    }
                },
                new string[] { }
            }
        });
    });
}
```
Swagger
- oauth2 (OAuth2, authorizationCode)
- Application: Foo - Swagger
- Authorization URL: https://login.microsoftonline.com//oauth2/v2.0/authorize
- Token URL: https://login.microsoftonline.com//oauth2/v2.0/token
- client_id: already filled in
- client_secret
Scopes: only one, api://<guid>/access_as_user
If I authorize without the secret, it works correctly. However, if I provide the secret I receive the following error:
I thought the secret is required to make the authentication process more secure, but I do not seem to be able to use it. What am I doing wrong?
Double checked and allowPublicClient is false. I have switched from SPA to Web client, provided the secret, but I receive the following error:
So, it seems that I am stuck with the SPA client when using Swagger UI.
解决方案
This error indicates that your application is a public client application and not a confidential client application. Please see the differences between public client and confidential client applications.
To solve this problem, you only need to modify the application manifest, change allowPublicClient to false.
Also, make sure you select Web when creating the application.

这篇关于如何正确配置 ASP.NET Core 5 Swagger 以使用 Azure A/D 授权代码身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！