0

我正在尝试使用 Azure 应用程序代理公开我的本地 API。

我已成功将其配置为使用 Pre-Authentication 设置为Passthrough。当我将预身份验证更改为Azure Active Directory 时,我可以通过浏览器成功访问端点。但是,当我尝试从代码调用本地端点时,我会收到 Microsoft 登录页面的 HTML。成功的请求将返回 JSON 响应。

我正在关注 Microsoft 文章:使用 Azure AD 应用程序代理安全访问本地 API

通过Azure Docs 缺陷,我了解到我必须使用“http://localhost”作为 RedirectUri 的值,并将我的客户端应用程序配置为“移动和桌面应用程序”平台。

这是我的代码:

[Fact]
public async Task Successfully_authenticate_but_cant_access_the_proxy()
{
    // Acquire Access Token from AAD for Proxy Application
    var clientApp = PublicClientApplicationBuilder
        .Create("b510069b-xxxx-xxxx-xxxx-9363xxxxxxxx") //Client Id for Client Application
        .WithRedirectUri("http://localhost") // This must be configured as a "Mobile and desktop applications" platform in the client application
        .WithTenantId("xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd") //Not sure if this is needed.
        .WithAuthority("https://login.microsoftonline.com/xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd")
        .Build();

    AuthenticationResult authResult;
    var accounts = await clientApp.GetAccountsAsync();
    var account = accounts.FirstOrDefault();

    IEnumerable<string> scopes = new string[] {"https://endpoints-xxx.msappproxy.net/user_impersonation"};

    try
    {
        authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
    }
    catch (MsalUiRequiredException ex)
    {
        authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();                
    }

    if (authResult != null)
    {
        //Use the Access Token to access the Proxy Application
        var httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
        var response = await httpClient.GetAsync("https://endpoints-xxx.msappproxy.net");

        //Failing here. I'm receiving the HTML for the Sign-In page. I'm expecting a response with JSON.
        var responseValue = await response.Content.ReadAsStringAsync();
    }
}

有没有人通过 Azure 应用程序代理和 Azure Active Directory 成功访问本地端点?

4

1 回答 1

0

我向 Microsoft 开了一张票,他们能够确定问题所在。

范围需要在域名后添加第二个斜杠“/”:

IEnumerable<string> scopes = new string[] {"https://endpoints-xxx.msappproxy.net//user_impersonation"};

完整的代码如下所示:

[Fact]
public async Task Successfully_authenticate_but_cant_access_the_proxy()
{
    // Acquire Access Token from AAD for Proxy Application
    var clientApp = PublicClientApplicationBuilder
        .Create("b510069b-xxxx-xxxx-xxxx-9363xxxxxxxx") //Client Id for Client Application
        .WithRedirectUri("http://localhost") // This must be configured as a "Mobile and desktop applications" platform in the client application
        .WithTenantId("xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd") //Not sure if this is needed.
        .WithAuthority("https://login.microsoftonline.com/xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd")
        .Build();

    AuthenticationResult authResult;
    var accounts = await clientApp.GetAccountsAsync();
    var account = accounts.FirstOrDefault();

    IEnumerable<string> scopes = new string[] {"https://endpoints-xxx.msappproxy.net//user_impersonation"};

    try
    {
        authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
    }
    catch (MsalUiRequiredException ex)
    {
        authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();                
    }

    if (authResult != null)
    {
        //Use the Access Token to access the Proxy Application
        var httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
        var response = await httpClient.GetAsync("https://endpoints-xxx.msappproxy.net");

        //Failing here. I'm receiving the HTML for the Sign-In page. I'm expecting a response with JSON.
        var responseValue = await response.Content.ReadAsStringAsync();
    }
}
于 2021-05-11T17:54:11.833 回答