0

我们有 5 个 REACT 门户和 1 个 Asp:net Core 3.1 API。我们希望对所有门户使用相同的 API。他们都通过 MSAL B2B (react-aad-msal) 进行授权。首先,我试图让一个门户使用一个 API。为此,我有两个 App Reg(AccountRequestPortal 和 AccountAPI)。

App Reg AccountRequestPortal : 在此处输入图像描述

在此处输入图像描述

帐户API: 在此处输入图像描述

在此处输入图像描述

请注意,我已授予门户对 API 的访问权限。

API 配置:

// Portal 
const msalConfig = {
  auth: {
    authority: 'https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84',
    clientId: '03099206-xxx-e31a9ee8dec5',
    redirectUri: redirectUri
  },
  cache: {
    cacheLocation: "localStorage",
    storeAuthStateInCookie: true
  }
};

const authParameters = {
  scopes: [
    "api://03099206-xxx-e31a9ee8dec5/Read"
  ]
}

// API
// const msalConfig = {
//   auth: {
//     authority: 'https://login.microsoftonline.com/a364eb28-e95b-4ad0-a4fb-5b4f7767ad84',
//     clientId: '422132b5-xxx-6651f01a1109',
//     redirectUri: redirectUri
//   },
//   cache: {
//     cacheLocation: "localStorage",
//     storeAuthStateInCookie: true
//   }
// };

// const authParameters = {
//   scopes: [
//     "api://422132b5-xxx-6651f01a1109/Read"
//   ]
// }

API 应用程序设置:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "AllowedHosts": "*",
  //API
  "AzureAd": {
    "ApplicationIdUri": "api://422132b5-xxx-6651f01a1109",
    "Authority": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/v2.0",
    "AuthorizationUrl": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/oauth2/v2.0/authorize",
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "422132b5-xxx-6651f01a1109",
    "Domain": "a364eb28-xxx-5b4f7767ad84",
    "TenantId": "a364eb28-xxx-5b4f7767ad84"
  }
  //PORTAL
  //"AzureAd": {
  //  "ApplicationIdUri": "api://03099206-xxx-e31a9ee8dec5",
  //  "Authority": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/v2.0",
  //  "AuthorizationUrl": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/oauth2/v2.0/authorize",
  //  "Instance": "https://login.microsoftonline.com/",
  //  "ClientId": "03099206-xxx-e31a9ee8dec5",
  //  "Domain": "a364eb28-xxx-5b4f7767ad84",
  //  "TenantId": "a364eb28-xxx-5b4f7767ad84"
  //}
}

如果我选择仅对机器人使用相同的 App Reg,则 API 和门户网站一切正常。但是,如果我选择在两个 AppReg 上划分 API 和 Portal,我会得到 401。即使我已经向 ApiReg 提供了对 Portal AppReg 的访问权限,我是否遗漏了什么?

4

1 回答 1

0

根据您的描述,您想使用客户端应用程序AccountRequestPortal调用 API AccountAPI

如果是这样,您需要在AccountAPI应用程序中公开 API 范围,而不是AccountRequestPortal应用程序。然后在AccountRequestPortal应用程序-> API permissions->添加通过->授予管理员同意公开的API权限AccountAPI,如我所见,您做了相反的事情,这是不正确的。

从截图来看,application idAccountRequestPortal03099206-xxx-e31a9ee8dec5AccountAPI422132b5-xxx-6651f01a1109如果是的话,配置应该是:

const msalConfig = {
  auth: {
    authority: 'https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84',
    clientId: '03099206-xxx-e31a9ee8dec5',
    redirectUri: redirectUri
  },
  cache: {
    cacheLocation: "localStorage",
    storeAuthStateInCookie: true
  }
};

const authParameters = {
  scopes: [
    "api://422132b5-xxx-6651f01a1109/Read"
  ]
}

app.settings 应该是:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "AllowedHosts": "*",
  "AzureAd": {
    "ApplicationIdUri": "api://422132b5-xxx-6651f01a1109",
    "Authority": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/v2.0",
    "AuthorizationUrl": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/oauth2/v2.0/authorize",
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "03099206-xxx-e31a9ee8dec5",
    "Domain": "a364eb28-xxx-5b4f7767ad84",
    "TenantId": "a364eb28-xxx-5b4f7767ad84"
  }
}
于 2020-08-03T06:10:48.837 回答