如何使 OAuth2 在 .net 上通过多因素身份验证适用于 Azure Active Directory?

问题描述

我们正在使用 OAuth 2.0Azure Active Directory 上的身份验证代码授权 以对我们的 Web 应用程序中的用户进行身份验证.

We are using OAuth 2.0 auth code grant on Azure Active Directory to authenticate the users in our web application.

这工作没有问题，但现在 AD 维护想要部署多因素身份验证.我们当前的 OAuth 实施与此不符.

This has worked without problems, but now the AD maintenance wants to deploy a multi-factor authentication. Our current OAuth implementation is not in line with that.

这是我们的代码:

public static ActionResult LogOn()
{
    string authorizationUrl = string.Format(
        "https://login.windows.net/{0}/oauth2/authorize?api-version=1.0&response_type=code&response_mode=query&client_id={1}&scope={2}&redirect_uri={3}",
        HttpUtility.UrlEncode(azureActiveDirectoryTenant),
        HttpUtility.UrlEncode(azureActiveDirectoryClientId),
        HttpUtility.UrlEncode("https://graph.microsoft.com/v1.0/me/"),
        HttpUtility.UrlEncode(azureActiveDirectoryCodeRedirectURL) // refers to Code() below
    );

    return new RedirectResult(authorizationUrl, false);
}

public async Task<ActionResult> Code(string code = null, string state = "", string error = null, string error_description = null)
{
    if (String.IsNullOrEmpty(error))
    {
        if (String.IsNullOrWhiteSpace(code))
        {
            return LogOn();
        }
        AuthenticationContext ctx = new AuthenticationContext("https://login.microsoftonline.com/" + azureActiveDirectoryTenant);
        ClientCredential clcred = new ClientCredential(azureActiveDirectoryClientId, azureActiveDirectoryClientKey);
        try
        {
            var ar = await ctx.AcquireTokenByAuthorizationCodeAsync(code, new Uri(azureActiveDirectoryCodeRedirectURL), clcred, "https://graph.windows.net");
            string email = ar.UserInfo.DisplayableId;

            using (WebClient client = new WebClient())
            {
                client.Headers.Add("Authorization", "Bearer " + ar.AccessToken);

                Stream data = client.OpenRead(new Uri("https://graph.windows.net/me?api-version=1.6"));
                StreamReader reader = new StreamReader(data);
                Dictionary<string, dynamic> values = JsonConvert.DeserializeObject<Dictionary<string, dynamic>>(reader.ReadToEnd());
                data.Close();
                reader.Close();

                ... act on values and redirect...
            }
        }
        catch (AdalServiceException ex)
        {
            // We come here!
            ViewBag.ErrorMessage = String.Format("Exception: ErrorCode: {0}, StatusCode: {1}, Message: {2}.", ex.ErrorCode, ex.StatusCode, ex.Message);
            ...
        }
    }
    return View("OAuthError");
}

还有错误信息:

ErrorCode: interaction_required, StatusCode: 400, Message: AADSTS50076: Due
to a configuration change made by your administrator, or because you moved to a
new location, you must use multi-factor authentication to access '00000002-0000-
c000-0000000000000'.

本文档 正在讨论 AAD 的条件访问并提到声明"作为解决方案.

This document is discussing conditional access on AAD and mentions 'claims' as a solution.

如何将声明合并到上面的代码中以使其工作?

How does one incorporate claims to the code above to make it work?

推荐答案

根据 Microsoft 文档:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60

Per Microsoft docs: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/0fc398ca-88d0-4118-ae60-c3033e396e60

您可以将 amr_values=ngcmfa 添加到授权 URL 以强制执行 MFA.

You can add amr_values=ngcmfa to the authorization URL to force MFA.

您还可以添加 amr_values=mfa 以要求用户已通过 MFA，尽管它可能在不久前发生.

You can also add amr_values=mfa to require that the user has gone through MFA, though it may have happened a while ago.

您还应该检查令牌是否包含mfa"；在 amr 索赔中.(因为用户可以删除参数)

You should also then check that the token does contain "mfa" in the amr claim. (since the user could just remove the parameter)

这篇关于如何使 OAuth2 在 .net 上通过多因素身份验证适用于 Azure Active Directory?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！