Мобильная версияАутентификация сертификата для доступа к API наряду с аутентификацией OpenID ⇐ C#
-
Anonymous
Аутентификация сертификата для доступа к API наряду с аутентификацией OpenID
I am writing a small application in ASP.Net8 where I use AAD authentication so that I can easily manage access through AAD groups:
builder.Services .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(builder.Configuration); builder.Services.AddAuthorization(options => { options.AddPolicy("Role_AdminPrivilege_Read", p => { p.RequireClaim("roles","AzureGroup_AdminPrivilege_Read"); }); }); This works fine, Controller can only be accessed by user with a specific policy through AAD groups. However, I also have to create an access to the API for the system account where I must use certificates because in Azure systems cannot be granted permissions like in on-premise AD.
The point is, I don't know how to start because when I add (https://learn.microsoft.com/en-us/aspne ... etcore-8.0):
builder.Services .AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme) .AddCertificate(); my first authentication is not working anymore, but what I want to accomplish is that /api uses certificates, any other routing uses the openID one.
Yesterday I spent some hours googeling but could not find a good example, or maybe my keywords are wrong.
Can someone help me and lead me to the right direction? I think a workaround would be just creating a new application only for the API, but this sound not very clever.
Edit: As written in the comments, adding:
p.AuthenticationSchemes.Add(OpenIdConnectDefaults.AuthenticationScheme);
solved the policies issue, but by adding a certificate authentication I cannot get a separation between openId and certificate:
// Sign-in users with the Microsoft identity platform builder.Services .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(builder.Configuration); builder.Services.AddSingleton(); // Certificate authentication in ASP.NET Core builder.Services .AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme) .AddCertificate(options => { options.RevocationMode = X509RevocationMode.NoCheck; options.AllowedCertificateTypes = CertificateTypes.All; options.Events = new CertificateAuthenticationEvents { OnCertificateValidated = context => { var validationService = context.HttpContext.RequestServices.GetService(); if (validationService!= null && validationService.ValidateCertificate(context.ClientCertificate)) { Console.WriteLine("Success"); context.Success(); } else { Console.WriteLine("invalid cert"); context.Fail("invalid cert"); } return Task.CompletedTask; } }; }); I use the two authentications. When I do that, openID and all my controller are working, except the API one. When I than add:
builder.Services.Configure( options => { options.ConfigureHttpsDefaults(options => { options.AllowAnyClientCertificate(); options.ClientCertificateMode = ClientCertificateMode.AllowCertificate; }); }); The API part with a certificate works, but not the rest anymore. Is there any way I can say when the route is /api use the certificate way, if not, use non certificate way?
Edit 2: I think the solution is to change ClientCertificateMode to:
ClientCertificateMode.DelayCertificate Edit 3: But then the signin button for MicrosoftIdentity is not working anymore
Источник: https://stackoverflow.com/questions/780 ... entication
I am writing a small application in ASP.Net8 where I use AAD authentication so that I can easily manage access through AAD groups:
builder.Services .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(builder.Configuration); builder.Services.AddAuthorization(options => { options.AddPolicy("Role_AdminPrivilege_Read", p => { p.RequireClaim("roles","AzureGroup_AdminPrivilege_Read"); }); }); This works fine, Controller can only be accessed by user with a specific policy through AAD groups. However, I also have to create an access to the API for the system account where I must use certificates because in Azure systems cannot be granted permissions like in on-premise AD.
The point is, I don't know how to start because when I add (https://learn.microsoft.com/en-us/aspne ... etcore-8.0):
builder.Services .AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme) .AddCertificate(); my first authentication is not working anymore, but what I want to accomplish is that /api uses certificates, any other routing uses the openID one.
Yesterday I spent some hours googeling but could not find a good example, or maybe my keywords are wrong.
Can someone help me and lead me to the right direction? I think a workaround would be just creating a new application only for the API, but this sound not very clever.
Edit: As written in the comments, adding:
p.AuthenticationSchemes.Add(OpenIdConnectDefaults.AuthenticationScheme);
solved the policies issue, but by adding a certificate authentication I cannot get a separation between openId and certificate:
// Sign-in users with the Microsoft identity platform builder.Services .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(builder.Configuration); builder.Services.AddSingleton(); // Certificate authentication in ASP.NET Core builder.Services .AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme) .AddCertificate(options => { options.RevocationMode = X509RevocationMode.NoCheck; options.AllowedCertificateTypes = CertificateTypes.All; options.Events = new CertificateAuthenticationEvents { OnCertificateValidated = context => { var validationService = context.HttpContext.RequestServices.GetService(); if (validationService!= null && validationService.ValidateCertificate(context.ClientCertificate)) { Console.WriteLine("Success"); context.Success(); } else { Console.WriteLine("invalid cert"); context.Fail("invalid cert"); } return Task.CompletedTask; } }; }); I use the two authentications. When I do that, openID and all my controller are working, except the API one. When I than add:
builder.Services.Configure( options => { options.ConfigureHttpsDefaults(options => { options.AllowAnyClientCertificate(); options.ClientCertificateMode = ClientCertificateMode.AllowCertificate; }); }); The API part with a certificate works, but not the rest anymore. Is there any way I can say when the route is /api use the certificate way, if not, use non certificate way?
Edit 2: I think the solution is to change ClientCertificateMode to:
ClientCertificateMode.DelayCertificate Edit 3: But then the signin button for MicrosoftIdentity is not working anymore
Источник: https://stackoverflow.com/questions/780 ... entication
