【发布时间】:2018-11-17 17:40:28
【问题描述】:
我正在尝试通过 http rest api (https://docs.microsoft.com/en-us/rest/api/mysql/) 连接到我的 Azure Mysql,但没有成功。问题是我无法从我的 Web 应用程序中获取 JSON Web 令牌。情况:
Azure Web App ----- rest api ----> Azure MySql
我想我需要在活动目录中“注册”这个 Mysql Server 资源,但似乎我做不到。
我遵循了本教程 (https://blogs.msdn.microsoft.com/jpsanders/2017/03/17/accessing-azure-app-services-using-azure-ad-bearer-token-2) 但我遇到了同样的问题:我无法在 Azure Active Directory 中注册 MySql。
那么,我怎样才能为 Mysql HTTP REST API 获取 JSON Web Token?
谢谢!
-------- MYSQL 资源(不是 MYSQL SERVER)的 AD 专有角色 -- - - - - - - - - 代码 - - - - - - - - - - - - - - - - - -------------
//
// https://blogs.msdn.microsoft.com/jpsanders/2017/03/17/accessing-azure-app-services-using-azure-ad-bearer-token-2/
//
public static class AzureActiveDirectory
{
// the AD Authority used for login. For example: https://login.microsoftonline.com/myadnamehere.onmicrosoft.com
public static string authority = "";
// the Application ID of this app. This is a guid you can get from the Advanced Settings of your Auth setup in the portal
public static string clientId = "";
// the key you generate in Azure Active Directory for this application
public static string clientSecret = "";
// the Application ID of the app you are going to call.This is a guid you can get from the Advanced Settings of your Auth setup for the targetapp in the portal
public static string resource = "";
static public async Task<AuthenticationResult> GetS2SAccessTokenForProdMSAAsync()
{
var task = await GetS2SAccessToken(authority, resource, clientId, clientSecret);
return task;
}
static async Task<AuthenticationResult> GetS2SAccessToken(string authority, string resource, string clientId, string clientSecret)
{
var clientCredential = new ClientCredential(clientId, clientSecret);
AuthenticationContext context = new AuthenticationContext(authority, false);
AuthenticationResult authenticationResult = await context.AcquireTokenAsync(
resource, // the resource (app) we are going to access with the token
clientCredential); // the client credentials
return authenticationResult;
}
}
AzureActiveDirectory.authority = "https://login.microsoftonline.com/********/";
AzureActiveDirectory.clientId = "********";
AzureActiveDirectory.clientSecret = "********";
AzureActiveDirectory.resource = "https://management.azure.com/";
try
{
AuthenticationResult token = await AzureActiveDirectory.GetS2SAccessTokenForProdMSAAsync();
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Authorization", "Bearer " + token.AccessToken);
var resp = await client.GetAsync("https://management.azure.com/subscriptions/*******/resourceGroups/MYSQL/providers/Microsoft.DBforMySQL/servers/shoplister/firewallRules?api-version=2017-12-01");
Console.WriteLine(resp.StatusCode.ToString());
Console.WriteLine();
}
catch (Exception e) { Console.WriteLine(e); }
--------------- 更改后现在未经授权 ------------
【问题讨论】:
-
啊,好吧。然后,您需要在 Azure AD 中注册该应用并为该应用分配 mysql 资源上的角色。然后,您可以获取访问令牌以使用客户端凭据流从 Azure AD 调用 API。
-
资源 URI 应该是
https://management.azure.com/我相信。它是您要调用的 API 的标识符。 -
授权应该是
https://login.microsoftonline.com/tenant-id-here/ -
我看到了你的问题 :) 你需要将授权标头指定为
new AuthenticationHeaderValue("Bearer", token.AccessToken) -
嗯,这是一种改进,但不知道为什么现在会发生这种情况。您可以检查在 jwt.ms 获得的访问令牌,并检查它是否具有正确的 azure 广告租户 ID。还要仔细检查与您在 Azure 门户中分配的应用程序是否相同。您可能已将角色分配给同名的应用程序。