将IdentityServer4连接到Azure Active Directory

Question

作为我的一个要求，我应该将IdentitySever与Active Directory连接到现有的用户和声明。到目前为止，我设法在Azure门户中创建应用程序注册。所以我有一个Appication ID并且还配置了一个API Key。此外，我有端点的列表：

https://login.windows.net/{ad_guid}/federationmetadata/2007-06/federationmetadata.xml 
https://login.windows.net/{ad_guid}/wsfed 
https://login.windows.net/{ad_guid}/saml2 
https://login.windows.net/{ad_guid}/saml2 
https://graph.windows.net/{ad_guid} 
https://login.windows.net/{ad_guid}/oauth2/token 
https://login.windows.net/{ad_guid}/oauth2/authorize 

我可以得到

https://login.windows.net/{ad_guid}/.well-known/openid-configuration 

的OpenID的构成来documentation from Microsoft我现在应该配置这样的端点：

app.SetDefaultSignInAsAuthenticationType(
    CookieAuthenticationDefaults.AuthenticationType); 

app.UseCookieAuthentication(new CookieAuthenticationOptions()); 

var uri = "https://login.windows.net/{0}"; 
var instance = configuration["AzureAD:Instance"]; 
var authority = string.Format(CultureInfo.InvariantCulture, uri, instance); 

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions 
{ 
    DisplayName = "Azure Active Directory", 
    AuthenticationScheme = "AzureAD", 
    SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme, 
    ClientId = configuration["AzureAD:AppId"], 
    Authority = authority, 
    Scope = {"openid", "email"} 
}); 

由于某种原因，这是行不通的。任何想法我可能错过了？

Answer 1

显然，我说得对。这里是我的解决方案：

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); 

app.UseCookieAuthentication(new CookieAuthenticationOptions 
{ 
    AuthenticationScheme = 
     IdentityServerConstants.DefaultCookieAuthenticationScheme, 
    AutomaticAuthenticate = true, 
    AutomaticChallenge = true 
}); 

public static OpenIdConnectOptions CreateAzureAdOptions(X509Certificate2 certificate2, IConfiguration configuration) 
    { 
     return new OpenIdConnectOptions 
     { 
      DisplayName = "Azure Active Directory", 
      AuthenticationScheme = "Azure", 
      ClientId = configuration["OpenId:AzureAD:AppId"], 
      Authority = string.Format(CultureInfo.InvariantCulture, "https://login.windows.net/{0}", configuration["OpenId:AzureAD:Instance"]), 
      TokenValidationParameters = new TokenValidationParameters 
      { 
       ValidateIssuer = false 
      }, 
      // https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims 
      Scope = {"openid", "email", "roles", "groups"}, 
      Events = new OpenIdConnectEvents 
      { 
       OnRemoteFailure = context => HandleRemoteFailure(context) 
      }, 
      SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme 
     }; 
    } 

    private static Task HandleRemoteFailure(FailureContext context) 
    { 
     Log.Error(context.Failure, "Azure AD Remote Failure"); 
     context.Response.Redirect("/accessdenied"); 
     context.HandleResponse(); 
     return Task.FromResult(0); 
    }