我们可以使用我们的网站SSL证书来保护我们的Azure Active Directory应用程序吗?

huangapple go评论62阅读模式
英文:

Can we use our website SSL certificate to secure our Azure Active Directory App

问题

我使用Visual Studio 2022创建了一个新的ASP.NET Core 6.0 MVC Web应用程序,并定义它以使用Azure AD进行身份验证,如下所示:

然后,我被要求创建一个拥有的应用程序,所以我创建了一个名为"ad"的应用程序,如下所示:

在我的应用程序的appsetting.json中,我有以下设置:

{
    "AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
        "Domain": "*****",
        "TenantId": "***",
        "ClientId": "***",
        "CallbackPath": "/signin-oidc"
    },
    ....
}

看起来Visual Studio为我们完成了所有工作。

但当我在Azure门户中检查生成的Azure AD应用程序的"证书和秘密"时,我发现没有分配任何内容:

所以现在我们要上传一个证书(.crt文件),但我有以下问题:

  1. 现在上面的ASP.NET Core MVC Web应用程序已经购买了GoDaddy的SSL证书,所以我们可以在我们的Azure活动目录应用程序中使用这个证书吗?

  2. 此外,在我们的Azure活动目录应用程序中上传证书之后,我们是否需要从我们的Web应用程序传递证书的Thumbprint?如果答案是肯定的,那么我需要做什么,我们需要修改身份平台代码吗?

英文:

I created a new ASP.NET Core 6.0 MVC web application using Visual Studio 2022, and I define it to use Azure AD for authentication, as follows:

我们可以使用我们的网站SSL证书来保护我们的Azure Active Directory应用程序吗?

我们可以使用我们的网站SSL证书来保护我们的Azure Active Directory应用程序吗?

Then I was asked to create an owned application, so I created one named "ad" as follows:

我们可以使用我们的网站SSL证书来保护我们的Azure Active Directory应用程序吗?

我们可以使用我们的网站SSL证书来保护我们的Azure Active Directory应用程序吗?

Inside my application's appsetting.json I have these settings:

{
    "AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
        "Domain": "*****",
        "TenantId": "***",
        "ClientId": "***",
        "CallbackPath": "/signin-oidc"
    },
    ....
}

It seems Visual Studio did all the work for us.

But when I checked the "Certificate & Secrets" in the Azure portal for the generated Azure AD APP, I found that there is not anything assigned:

我们可以使用我们的网站SSL证书来保护我们的Azure Active Directory应用程序吗?

So now we are going to upload a certificate (.crt file), but i have those questions:-

  1. Now the above ASP.NET Core MVC web application already have SSL certificate bought from Go-daddy, so can we use this certificate also inside our Azure Active directory App ?

  2. Also, after uploading a certificate inside our Azure Active Directory App >> do we need to pass the certificate Thumbprint from our web application ? if the answer is yes, then what i need to do exactly , do we need to modify the Identity platfrom code?

答案1

得分: 1

I understand your instructions.

英文:

If you used VS to integrate AAD and create resource for you, then the appsettings.json file should look like this. And it's also OK to add configurations manually.

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "xxx.onmicrosoft.com",
    "TenantId": "tenant_id",
    "ClientId": "client_id",
    "CallbackPath": "/signin-oidc",
    "ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",
    //"ClientCertificates": []//I comment this line
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "MicrosoftGraph": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "user.read"
  }
}

=============================================================

Firstly, the client secret is used for calling API, for example Ms graph API. Then in this answer, I demonstrate how to integrate Graph API in the APP, then you can get the client secret which is already generated for you.

我们可以使用我们的网站SSL证书来保护我们的Azure Active Directory应用程序吗?

After finishing all these steps, your project has already set up, going to Program.cs you can see code below, and it already read the configurations including the secret.

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
            .AddInMemoryTokenCaches();

but you still need to go to appsettings.json to paste the client secret into "ClientSecret": "Client secret from app-registration. Check user secrets/azure portal.",. You'd better to comment "ClientCertificates": [] because you are using secret but not certificate.

By the way, the client secret can exist several valid secret at the same time, this is designed for avoid app crash because of secret expired. So you can have 2 client secrets, if one of the secret is about to expire, you can create a new one in Azure AD then paste the secret value into your project. This means, for example, you used the Visual Studio to generate the secret, but you didn't store the secret, you also create another secret manually in Azure portal and use it in your app.

答案2

得分: 0

要使用证书对Azure AD应用进行身份验证,您需要一个符合以下要求的X.509证书:

  • 具有2048位或更长的密钥。强烈建议使用2048位大小,以获得最佳的安全性和性能组合。
  • 使用RSA加密算法。Azure AD目前仅支持RSA。
  • 使用SHA256哈希算法进行签名。Azure AD还支持使用SHA384和SHA512哈希算法签名的证书。

您将需要联系GoDaddy,看看他们是否可以颁发符合上述要求的证书。

是的,您将需要传递证书的指纹。请记住,这可以在请求访问令牌时单独使用,也可以与id令牌一起使用(混合流):

配置您的ASP.NET应用程序的步骤如下:

appsettings.json
{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "alfredorevillaatmsft.com",
    "TenantId": "22a84c88-253a-4025-a5c4-e0dc365b8d17",
    "ClientId": "efd38bbf-562c-4cc7-ba4d-2191b3931c95",
    "CallbackPath": "/signin-oidc"
  },
  "DownstreamApi": {
    "Scopes": "user.read" 
  }
}
Program.cs
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;

var builder = WebApplication.CreateBuilder(args);

var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');

// 将服务添加到容器中。
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddInMemoryTokenCaches();

如何获取访问令牌的步骤如下:

[AuthorizeForScopes(Scopes = new[] { "user.read" })]
public async Task<IActionResult> Profile()
{
 // 获取访问令牌。
 string[] scopes = new string[]{"user.read"};
 string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
 // 使用访问令牌调用受保护的Web API。
 // ...
}

要获取更多信息,请查看场景:对用户进行身份验证并调用Web API的Web应用程序。有关混合流示例,请查看此示例

英文:

To authenticate against an Azure AD app using a certificate you need an X.509 cert that:

  • Has 2048-bit or longer keys. 2048-bit size is highly recommended for the best combination of security and performance.
  • Uses the RSA cryptographic algorithm. Azure AD currently supports only RSA.
  • Is signed with the SHA256 hash algorithm. Azure AD also supports certificates signed with SHA384 and SHA512 hash algorithms.

You will have to reach GoDaddy to see if they can issue certificates that follow the aforementioned requirements.

And yes, you will need to pass the certificate thumbprint. Keep in mind this can be used when requesting an access token alone or in tandem with an id token (hybrid flow):

Follows how to configure your ASP.NET application:

appsettings.json
{
  &quot;AzureAd&quot;: {
    &quot;Instance&quot;: &quot;https://login.microsoftonline.com/&quot;,
    &quot;Domain&quot;: &quot;alfredorevillaatmsft.com&quot;,
    &quot;TenantId&quot;: &quot;22a84c88-253a-4025-a5c4-e0dc365b8d17&quot;,
    &quot;ClientId&quot;: &quot;efd38bbf-562c-4cc7-ba4d-2191b3931c95&quot;,
    &quot;CallbackPath&quot;: &quot;/signin-oidc&quot;
  },
  &quot;DownstreamApi&quot;: {
    &quot;Scopes&quot;: &quot;user.read&quot; 
  }
}
Program.cs
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;

var builder = WebApplication.CreateBuilder(args);

var initialScopes = builder.Configuration[&quot;DownstreamApi:Scopes&quot;]?.Split(&#39; &#39;);

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection(&quot;AzureAd&quot;))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddInMemoryTokenCaches();

And how to acquire an access token:

[AuthorizeForScopes(Scopes = new[] { &quot;user.read&quot; })]
public async Task&lt;IActionResult&gt; Profile()
{
 // Acquire the access token.
 string[] scopes = new string[]{&quot;user.read&quot;};
 string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
 // Use the access token to call a protected web API.
 // ...
}

For more information take a look to Scenario: A web app that authenticates users and calls web APIs. For a hybrid flow sample take a look at this sample.

huangapple
  • 本文由 发表于 2023年2月6日 05:26:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/75355636.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定