我们有 5 个 REACT 门户和 1 个 Asp:net Core 3.1 API。我们希望对所有门户使用相同的 API。他们都通过 MSAL B2B (react-aad-msal) 进行授权。首先,我试图让一个门户使用一个 API。为此,我有两个 App Reg(AccountRequestPortal 和 AccountAPI)。
App Reg AccountRequestPortal :
请注意,我已授予门户对 API 的访问权限。
API 配置:
// Portal
const msalConfig = {
auth: {
authority: 'https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84',
clientId: '03099206-xxx-e31a9ee8dec5',
redirectUri: redirectUri
},
cache: {
cacheLocation: "localStorage",
storeAuthStateInCookie: true
}
};
const authParameters = {
scopes: [
"api://03099206-xxx-e31a9ee8dec5/Read"
]
}
// API
// const msalConfig = {
// auth: {
// authority: 'https://login.microsoftonline.com/a364eb28-e95b-4ad0-a4fb-5b4f7767ad84',
// clientId: '422132b5-xxx-6651f01a1109',
// redirectUri: redirectUri
// },
// cache: {
// cacheLocation: "localStorage",
// storeAuthStateInCookie: true
// }
// };
// const authParameters = {
// scopes: [
// "api://422132b5-xxx-6651f01a1109/Read"
// ]
// }
API 应用程序设置:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*",
//API
"AzureAd": {
"ApplicationIdUri": "api://422132b5-xxx-6651f01a1109",
"Authority": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/v2.0",
"AuthorizationUrl": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/oauth2/v2.0/authorize",
"Instance": "https://login.microsoftonline.com/",
"ClientId": "422132b5-xxx-6651f01a1109",
"Domain": "a364eb28-xxx-5b4f7767ad84",
"TenantId": "a364eb28-xxx-5b4f7767ad84"
}
//PORTAL
//"AzureAd": {
// "ApplicationIdUri": "api://03099206-xxx-e31a9ee8dec5",
// "Authority": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/v2.0",
// "AuthorizationUrl": "https://login.microsoftonline.com/a364eb28-xxx-5b4f7767ad84/oauth2/v2.0/authorize",
// "Instance": "https://login.microsoftonline.com/",
// "ClientId": "03099206-xxx-e31a9ee8dec5",
// "Domain": "a364eb28-xxx-5b4f7767ad84",
// "TenantId": "a364eb28-xxx-5b4f7767ad84"
//}
}
如果我选择仅对机器人使用相同的 App Reg,则 API 和门户网站一切正常。但是,如果我选择在两个 AppReg 上划分 API 和 Portal,我会得到 401。即使我已经向 ApiReg 提供了对 Portal AppReg 的访问权限,我是否遗漏了什么?