多租户Azure AD身份验证权限错误

Question

多租户Azure AD身份验证权限错误

c#asp.net-mvcazureazure-active-directoryazure-ad-graph-api

3

我刚接触Azure AD身份验证。我在Azure中创建了一个应用程序，并将其设置为多租户，并设置了以下权限：

登录并读取用户配置文件
读取目录数据

这是我的Startup.Auth.cs代码：

public partial class Startup
    {
        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
        private string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
        private string graphResourceID = "https://graph.windows.net";
        private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
        private string authority = aadInstance + "common";
        private ApplicationDbContext db = new ApplicationDbContext();

        public void ConfigureAuth(IAppBuilder app)
        {

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions { });

            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = authority,
                    TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                    {
                        // instead of using the default validation (validating against a single issuer value, as we do in line of business apps), 
                        // we inject our own multitenant validation logic
                        ValidateIssuer = false,
                    },
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        SecurityTokenValidated = (context) => 
                        {
                            return Task.FromResult(0);
                        },
                        AuthorizationCodeReceived = (context) =>
                        {
                            var code = context.Code;

                            ClientCredential credential = new ClientCredential(clientId, appKey);
                            string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
                            string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;

                            AuthenticationContext authContext = new AuthenticationContext(aadInstance + tenantID, new ADALTokenCache(signedInUserID));
                            AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                                code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID);

                            return Task.FromResult(0);
                        },
                        AuthenticationFailed = (context) =>
                        {
                            context.OwinContext.Response.Redirect("/Home/Error");
                            context.HandleResponse(); // Suppress the exception
                            return Task.FromResult(0);
                        }
                    }
                });

        }
    }

但是当我尝试运行应用程序并登录时，它会给我错误提示。

    You can't access this application 
    XXXXXXX needs permission to access resources in your organization that only an admin can grant. 
    Please ask an admin to grant permission to this app before you can use it.

    Have an admin account? Sign in with that account 
    Return to the application without granting consent

- user3881465

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Venkata Dorisala · Accepted Answer

首先，管理员必须先授予权限，以便其他用户能够访问资源。请尝试以下步骤：

以管理员身份登录门户
转到你的应用程序注册信息页面
单击“所需权限”
在权限选项卡上方，单击“授予权限”链接。
阅读确认信息，然后单击“确定”。

现在尝试使用非管理员用户登录。

希望this article对你有所帮助。