.NET Core3.1でAzure Active Directory(=AAD)認証を行う方法についてです。
AngularでAzure Active Directory認証を行うの続きです。
クライアントアプリケーション(Angular)からのリクエストのヘッダーにはjwtがあるので、jwtによるAAD認証でWeb APIを保護します。
Startup.cs
usingMicrosoft.AspNetCore.Builder;usingMicrosoft.AspNetCore.Hosting;usingMicrosoft.AspNetCore.SpaServices.AngularCli;usingMicrosoft.Extensions.Configuration;usingMicrosoft.Extensions.DependencyInjection;usingMicrosoft.Extensions.Hosting;usingMicrosoft.AspNetCore.Authentication.AzureAD.UI;usingMicrosoft.AspNetCore.Authentication;namespaceAadSample{publicclassStartup{publicStartup(IHostEnvironmentenv){varbuilder=newConfigurationBuilder().SetBasePath(env.ContentRootPath).AddJsonFile("appsettings.json",optional:false,reloadOnChange:true).AddJsonFile($"appsettings.{env.EnvironmentName}.json",optional:true).AddEnvironmentVariables();Configuration=builder.Build();}publicIConfigurationConfiguration{get;}// DIを定義publicvoidConfigureServices(IServiceCollectionservices){// Azure ADのServiceをDIの定義を追加// Configuration.Bind("AzureAd", options)でappsettings.jsonから必要な接続情報を取得するservices.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme).AddAzureADBearer(options=>Configuration.Bind("AzureAd",options));// …他のDI}publicvoidConfigure(IApplicationBuilderapp,IWebHostEnvironmentenv){if(env.IsDevelopment()){app.UseDeveloperExceptionPage();}else{app.UseExceptionHandler("/Error");app.UseHsts();}app.UseHttpsRedirection();app.UseStaticFiles();if(!env.IsDevelopment()){app.UseSpaStaticFiles();}app.UseRouting();app.UseAuthentication();// 追記app.UseAuthorization();// 追記app.UseEndpoints(endpoints=>{endpoints.MapControllerRoute(name:"default",pattern:"{controller}/{action=Index}/{id?}");});app.UseSpa(spa=>{spa.Options.SourcePath="ClientApp";if(env.IsDevelopment()){spa.UseAngularCliServer(npmScript:"start");}});}}}appsettings.json
AzureAdスキーマにAzureポータルで作成したAADの設定情報を記載する
{"Logging":{"LogLevel":{"Default":"Information","Microsoft":"Warning","Microsoft.Hosting.Lifetime":"Information"}},"AzureAd":{"Instance":"https://login.microsoftonline.com/","Domain":"{例:hogehoge}.onmicrosoft.com","TenantId":"{ディレクトリ(テナント)ID}","ClientId":"{アプリケーション(クライアント)ID}"},"AllowedHosts":"*"}HogeController
認証が必要なControllerに対し[Authorize]属性を付与します。
[HttpGet][Route("GetWeatherForecast")][Authorize]publicIEnumerable<WeatherForecast>Get(){varrng=newRandom();returnEnumerable.Range(1,5).Select(index=>newWeatherForecast{Date=DateTime.Now.AddDays(index),TemperatureC=rng.Next(-20,55),Summary=Summaries[rng.Next(Summaries.Length)]}).ToArray();}CustomFilterAttributeを使って認証を行う場合は
IAuthorizationFilterを継承します。
usingMicrosoft.AspNetCore.Mvc;usingMicrosoft.AspNetCore.Mvc.Filters;usingSystem;namespaceAadSample{/// <summary>/// 認証フィルター/// </summary>publicclassCustomAuthorize:Attribute,IAuthorizationFilter{/// <summary>/// 認証チェック/// </summary>/// <param name="context"></param>publicvoidOnAuthorization(AuthorizationFilterContextcontext){varuser=context.HttpContext.User;if(user.Identity.IsAuthenticated){return;// 認証済みならAPIを実行}else{context.Result=newUnauthorizedResult();// 未認証なら401を返す}}}}参考URL
保護された Web API アプリを構成する - Microsoft identity platform | Microsoft Docs