通过启用Azure目录的Azure代理访问本地API
我正在尝试使用Azure应用程序代理公开我的本地API。
我已经成功地将其配置为与设置为Passthrough的预身份验证一起使用。当我将预身份验证更改为Azure Active Directory时,我可以通过浏览器成功访问endpoint。然而,当我尝试从代码中调用本地endpoint时,我会收到Microsoft登录页面的HTML。成功的请求将返回JSON响应。
我正在关注一篇Microsoft文章:使用Azure AD Application Proxy安全访问本地API
通过Azure Docs缺陷,我了解到我必须使用“http://localhost”作为ReDirectUri的值,并将我的客户端应用程序配置为“移动和桌面应用程序”平台。
这是我的代码:
[Fact]
public async Task Successfully_authenticate_but_cant_access_the_proxy()
{
// Acquire Access Token from AAD for Proxy Application
var clientApp = PublicClientApplicationBuilder
.Create("b510069b-xxxx-xxxx-xxxx-9363xxxxxxxx") //Client Id for Client Application
.WithRedirectUri("http://localhost") // This must be configured as a "Mobile and desktop applications" platform in the client application
.WithTenantId("xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd") //Not sure if this is needed.
.WithAuthority("https://login.microsoftonline.com/xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd")
.Build();
AuthenticationResult authResult;
var accounts = await clientApp.GetAccountsAsync();
var account = accounts.FirstOrDefault();
IEnumerable<string> scopes = new string[] {"https://endpoints-xxx.msappproxy.net/user_impersonation"};
try
{
authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
}
catch (MsalUiRequiredException ex)
{
authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();
}
if (authResult != null)
{
//Use the Access Token to access the Proxy Application
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
var response = await httpClient.GetAsync("https://endpoints-xxx.msappproxy.net");
//Failing here. I'm receiving the HTML for the Sign-In page. I'm expecting a response with JSON.
var responseValue = await response.Content.ReadAsStringAsync();
}
}
是否有人通过Azure Active Directory的Azure应用程序代理成功访问本地endpoint?
共有1个答案
我在微软开了一张票,他们能够发现这个问题。
范围需要在域名后的第二个斜杠“/”:
IEnumerable<string> scopes = new string[] {"https://endpoints-xxx.msappproxy.net//user_impersonation"};
完整的代码如下所示:
[Fact]
public async Task Successfully_authenticate_but_cant_access_the_proxy()
{
// Acquire Access Token from AAD for Proxy Application
var clientApp = PublicClientApplicationBuilder
.Create("b510069b-xxxx-xxxx-xxxx-9363xxxxxxxx") //Client Id for Client Application
.WithRedirectUri("http://localhost") // This must be configured as a "Mobile and desktop applications" platform in the client application
.WithTenantId("xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd") //Not sure if this is needed.
.WithAuthority("https://login.microsoftonline.com/xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd")
.Build();
AuthenticationResult authResult;
var accounts = await clientApp.GetAccountsAsync();
var account = accounts.FirstOrDefault();
IEnumerable<string> scopes = new string[] {"https://endpoints-xxx.msappproxy.net//user_impersonation"};
try
{
authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
}
catch (MsalUiRequiredException ex)
{
authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();
}
if (authResult != null)
{
//Use the Access Token to access the Proxy Application
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
var response = await httpClient.GetAsync("https://endpoints-xxx.msappproxy.net");
//Failing here. I'm receiving the HTML for the Sign-In page. I'm expecting a response with JSON.
var responseValue = await response.Content.ReadAsStringAsync();
}
}
-
我无法访问托管密钥库中的存储帐户密钥。下面是我的代码: 似乎$secret.secretValueText为空/null。如何正确检索存储帐户密钥?这就是出现的错误。
-
这个问题与:在java中使用Azure Service Bus相关-之前的一个问题涉及使用ACS连接信息获取ServiceBusContract。 我的问题不同,因为我试图使用从Azure门户获取的SAS连接信息来实现这一点,例如类似于以下内容的SAS信息: 名称RootManageSharedAccessKey CONNECTION STRING Endpoint=sb://jasper.ser
-
我有一个Azure blob存储帐户,该帐户仅对选定的网络进行防火墙保护。我想从运行在动态计划上的函数应用访问此存储帐户,我知道该动态计划的出站IP地址。问题是,我将这些出站IP添加到blob存储的防火墙和虚拟网络设置中允许的IP地址中,但我仍然继续收到以下错误: 此请求无权执行此操作。 有人能指出我哪里出错了吗? N、 B.我使用PythonSDK访问带有帐户名和帐户密钥的blob存储!
-
我试图通过AzureAD使用OAuth2保护APIM API的安全,方法是阅读文章:使用OAuth 2.0 authorization with Azure AD保护Azure API管理中的web API后端 Azureapim-Oauth2 授权终结点URL(v1):https://login.microsoftonline.com/{tenant}/oauth2/authorize 令牌终结
-
我有一个带有Web触发器endpoint的Azure函数设置,我想将其用作React应用程序的后端。没有身份验证设置,它工作正常。当我使用AD设置应用服务身份验证时,当我直接通过浏览器访问时(身份验证后),它工作正常,但当我尝试从提供承载令牌的JS访问时,我得到了401。 客户端应用程序正在Azure上运行,并已注册为Azure AD应用程序。我能够成功地验证、查询AD和使用MS Graph AP
-
我正在尝试从运行在我的Azure批处理节点池中的VM访问我的Azure密钥库中的机密。 然而,我总是遇到例外: 异常消息:已尝试%1个证书。无法获取访问令牌。 具有指纹的证书#1的异常my-thumbprint:密钥集不存在 到目前为止,我一直遵循以下说明:https://docs.microsoft.com/en-us/Azure/key-vault/service-to-service-aut