Azure App Service Authentication with Google oAuth 2.0 Bearer Token

问题

We are using App Service Authentication to protect a web API and using Google as authentication provider. It works as expected when we fire a request from a browser (when the session information is in the cookie)

IIS log:

2016-05-29T13:51:19 PID[3600] Verbose Received request: GET https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:19 PID[3600] Verbose Found 'AppServiceAuthSession' cookie for site 'XXXXXX.azurewebsites.net'. Length: 728. 2016-05-29T13:51:19 PID[3600] Verbose Authenticated XXXXXX@gmail.com successfully using 'Session Cookie' authentication.

But when we use API testing tool such as Postman and set the Authorization header with bearer token, it always results in redirection.

IIS log:

2016-05-29T13:53:38 PID[3600] Verbose Received request: POST https://XXXXX.azurewebsites.net/api/user 2016-05-29T13:53:38 PID[3600] Information Redirecting: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-XXXXX7attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De5f4aabe11cb4544bf18d00920940d47_20160529135838%26redir%3D%2Fapi%2Fuser

We also tried to set X-ZUMO-AUTH header with the same bearer token, we see error as the token is not in expected format. Apparently it expects encoded JWT token.

IIS log:

016-05-29T13:51:52 PID[3600] Verbose Received request: POST https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:52 PID[3600] Warning JWT validation failed: IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'Bearer ya29.XXXXXXXXXX_RDrX_zsuvMx49e_9QS5ECz9F1yhDHe5j4H9gRN6opkjLXvN1IJZjHXa_Q'. The string needs to be in compact JSON format, which is of the form: '..'.. 2016-05-29T13:51:52 PID[3600] Information Redirecting: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-k5nj6dkf987attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De15b0915406142378XXXXX_20160529135652%26redir%3D%2Fapi%2Fuser

Note: Bearer token obtained from Google is valid as we can verify the detail by making call to https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[token]

Please suggest.

回答1:

The Google token you're using is an access token, not a bearer token. It can be used to access Google resources but cannot be used to authenticate with your Web API.

I wasn't able to find good documentation on this, but I can tell you it works here instead:

1. In your client app, you must obtain an id_token and an authorization code from Google. You normally get this when the user logs in using the Google OpenID Connect login. I assume you already know how to do this since you already know how to get the access token.
2. Send a POST request to https://{hostname}/.auth/login/google with a JSON payload that looks like {"authorization_code":"<code>", "id_token":"<id_token>"}.
3. A successful login response will contain a JSON payload that contains an authenticationToken field. Cache this token.
4. You can use the authentication token from #3 to make authenticated calls to your web API. Put it in the x-zumo-auth HTTP request header.

回答2:

1. Turn on Authentication / Authorization from App Service Portal

2. Browse to the web app or API that requires authentication, you will be redirected to google login page, when you authenticate successfully, the response will contain:

   • "id_token": this token can be extracted from the response, or by accessing the Token Store /.auth/me
   • "redirect_uri" this token will be included in the response body, also you can just set it statically in the following step since this is the callback URL and it shouldn't change unless you change it from the google console

3. POST a request to https://{hostname}/.auth/login/google with the following JSON payload, {"redirect_uri":"", "id_token":""}. a successful response will contain "authenticationToken" store this token or cache it

4. Subsequent requests to the APIs that requires authentication should contain an HTTP request header:

   "x-zumo-auth" with the value of "authenitcationToken"

Bonus: In order to verify your token you can POST to https://{hostname}/.auth/login/google with the following JSON pay load {"id_token":""}, the response should specify if the token is valid or not

来源：https://stackoverflow.com/questions/37518982/azure-app-service-authentication-with-google-oauth-2-0-bearer-token