问题
I have a service fabric application (Stateless and Statefull) deployed in Service fabric cluster. I am trying to implement security in the applications. The application uses the Active Directory Authentication Library (ADAL) to get a token from Azure AD using the OAuth 2.0 client credential flow, where the client credential is a password. I am able to implement the same scenario in ordinary web api applications by registering them in Azure portal. Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id). I receive unauthorized access while calling the corresponding service. I am not sure of what url has to be registered for a statefull or stateless application when adding the application in in azure active directory. Could you please suggest me where I'm wrong and what to do to implement.
回答1:
Can anyone tell me how to register a service fabric microservice application with WebApi exposed using Owin. i have difficulties registering the reply url and sign on url as the urls are dynamic(for statefull partitionid and replica id).
The client credential flow is used for the service or daemon app. There is not need to use the redirect_url when we use the client credential flow to acquire the token. You can register any validate redirect_url. Here is an example that using the client credential:
POST https://login.microsoftonline.com/<tenantId>/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=<app id uri of your web api >
And it is same that to integrate with Azure AD with web API using Azure service fabric. Here is an example for your reference:
1 . register an web app(app1) which used to protect the web API on Azure portal
2 . register an web app(app2) as the client to request the web API
3 . grant the the app1 to app2 from portal
4 . create Service Fabric application with Stateless Web API template
5 . config the app.config of Service Fabric application
<add key="ida:Audience" value="app id Uri of app1" />
<add key="ida:Tenant" value="tenantId" />
6 . install the package Microsoft.Owin.Security.ActiveDirectory
Install-Package Microsoft.Owin.Security.ActiveDirectory
7. modify the startup code like below:( Note: the method appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication is before appBuilder.UseWebApi(config).
public static void ConfigureApp(IAppBuilder appBuilder)
{
// Configure Web API for self-host.
HttpConfiguration config = new HttpConfiguration();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
appBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = false
}
});
appBuilder.UseWebApi(config);
}
- run the Service Fabric Application
- acquire the token using the client credential flow mentioned above( clientId and clientSecret is from app2)
- request the service public by Service Fabric Application with the access token and it works well
来源:https://stackoverflow.com/questions/40890804/register-microservices-in-azure-active-directory-aad-for-security