英文:
How to configure Azure AD authentication for an on-premise web app
问题
我需要帮助配置Azure AD身份验证,用于现有的本地Web应用程序(ASP.NET MVC)。
每个客户都有自己的安装(自己的数据库和自己的服务器)。
我们想要做的事情:
- 给予使用Microsoft帐户登录应用程序的可能性(许多客户使用Microsoft Azure AD管理公司帐户)
- 最小化客户配置
我们的想法是这样进行的:
- 在我们的Azure AD中注册一个多租户应用程序,以支持所有帐户类型(组织和个人)
- 使用以下参数连接Web应用程序:
- 客户端ID:在我们的Azure AD中的应用程序ID
- 实例:https://login.microsoftonline.com/
- 租户ID:common
预期结果:
- 客户可以使用自己的Microsoft帐户登录:AAD应用程序支持所有帐户类型
- 验证凭据后,Azure会为客户Azure创建一个服务主体,其中包含读取用户信息所需的所有规则
- 没有安全问题:AAD应用程序位于我们的Azure中,但安全主体位于客户Azure中(如果使用,每个本地Web应用程序安装都会创建一个安全主体)
问题:
- 这样继续的方式正确吗?
- 我们如何配置重定向URL参数?我们需要将用户重定向到Web应用程序的主页,但每个安装的URL都不同。
英文:
i need help to configure the Azure AD authentication for an existing on-premise web application (ASP.NET MVC).
Each client has its own installation (own database and own server).
What we want to do:
- give the possibility to use the Microsoft account to login to application (many clients manage company accounts with Microsoft Azure AD)
- minimize customer configuration
Our idea is to proceed in this way:
- register a multi-tenant application in our Azure AD enabled to support all account types (organizations and privates)
- use these parameters to connect the web app:
- client ID: id of the application in our Azure AD
- instance: https://login.microsoftonline.com/
- tenant ID: common
Expected result:
- clients can login with their own Microsoft account: the AAD application support all account types
- after credentials validation, Azure creates a service principal to the client Azure with all the rules neeeded to read the user info
- no security problems: the AAD application is in our Azure but the security principal lives in the client Azure (each on-premise web app installation creates a security principal, if used)
Questions:
- Is the right way to proceed?
- How can we configure the redirect url parameter? We need to redirect the user to the home page of the web app but the url is different for each installation.
答案1
得分: 0
是的,你说得对。要支持所有帐户类型,请创建Azure AD多租户应用程序,如下所示:
要读取用户信息,请授予API权限:
> 如何配置重定向URL参数?我们需要将用户重定向到Web应用程序的主页,但每次安装的URL都不同。
你可以在Azure AD中设置动态重定向URL,但它不支持将应用程序注册为任何组织目录中的帐户(任何Azure AD目录 - 多租户)和个人Microsoft帐户。请参考Microsoft Q&A(AmanpreetSingh-MSFT提供)和这个MSDoc。
因此,你可以在身份验证选项卡中添加多个静态重定向URI,如下所示:
要对用户进行身份验证,你可以使用下面的授权端点:
https://login.microsoftonline.com/common/oauth2/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345
一旦其他租户的用户同意,将生成授权码,如下所示:
现在,这个**MultiTenantApp
**将在用户的租户中注册为服务主体:
我使用Postman使用以下参数生成了访问令牌:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/User.Read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
通过使用上述访问令牌,可以获取已登录用户的详细信息:
https://graph.microsoft.com/v1.0/me
英文:
Yes, you are right. To support all Account types, create an Azure AD Multi-Tenant Application like below:
To read the user information, grant the API permission:
> How can we configure the redirect url parameter? We need to redirect the user to the home page of the web app but the url is different for each installation.
You can set Dynamic redirect URL in Azure AD but it doesn't support the Application registered as Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts. Refer Microsoft Q&A by AmanpreetSingh-MSFT and this MSDoc.
Hence, you can add multiple static redirect URIs in the Authentication tab like below:
To authenticate the users, you can make use of below authorize endpoint:
https://login.microsoftonline.com/common/oauth2/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345
Once, the other tenant user consents, the auth-code will be generated like below:
Now, this MultiTenantApp
will be registered as Service Principal in the user's tenant:
I generated the access token by using below parameters via Postman:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/User.Read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
By using the above access token, one can able to fetch the signed in user details:
https://graph.microsoft.com/v1.0/me
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论