Azure App 服務驗證中以檔案為基礎的組態
App Service 驗證可組態檔案的驗證設定。 App Service 驗證/授權的特定預覽功能可能須使用以檔案為基礎的設定,才能透過 Azure Resource Manager API 公開。
重要
請記住,您的應用程式承載及此檔案可能會在環境間移動 (與位置類似)。 您可能希望將其他應用程式註冊釘選至每個位置;在這類情況下,則應繼續使用標準組態方法,而非使用組態檔。
啟用以檔案為基礎的組態
在您的專案根目錄 (部署至 Web/函數應用程式中的 D:\home\site\wwwroot),建立組態的新 JSON 檔案。 根據以檔案為基礎的組態參考填入所需組態。 若要修改現有的 Azure Resource Manager 組態,請務必將
authsettings集合中擷取的屬性轉譯為組態檔。修改現有組態,其擷取自 Azure Resource Manager API 中的
Microsoft.Web/sites/<siteName>/config/authsettingsV2。 若要加以修改,您可使用 Azure Resource Manager 範本或 Azure 資源總管等工具。 在 authsettingsV2 集合中,設定兩個屬性 (您可以移除其他屬性):- 將
platform.enabled設定為「True」 - 將
platform.configFilePath設定為檔案名稱 (如「auth.json」)
- 將
注意
platform.configFilePath 的格式因平台而異。 Windows 同時支援相對路徑和絕對路徑。 建議使用相對路徑。 Linux 目前僅支援絕對路徑,因此設定值應類似於「/home/site/wwwroot/auth.json」。
一旦已更新此組態,檔案內容將用於定義該網站的 App Service 驗證/授權行為。 若希望改回 Azure Resource Manager 組態,則可移除設定 platform.configFilePath/變更為 Null。
設定檔偏好設定
組態檔所參考的任何秘密皆須儲存為應用程式設定。 您可任意命名設定。 只要確定組態檔中的參考使用相同金鑰即可。
下列項目會讓檔案中可能的組態選項耗盡:
{
"platform": {
"enabled": <true|false>
},
"globalValidation": {
"unauthenticatedClientAction": "RedirectToLoginPage|AllowAnonymous|RejectWith401|RejectWith404",
"redirectToProvider": "<default provider alias>",
"excludedPaths": [
"/path1",
"/path2",
"/path3/subpath/*"
]
},
"httpSettings": {
"requireHttps": <true|false>,
"routes": {
"apiPrefix": "<api prefix>"
},
"forwardProxy": {
"convention": "NoProxy|Standard|Custom",
"customHostHeaderName": "<host header value>",
"customProtoHeaderName": "<proto header value>"
}
},
"login": {
"routes": {
"logoutEndpoint": "<logout endpoint>"
},
"tokenStore": {
"enabled": <true|false>,
"tokenRefreshExtensionHours": "<double>",
"fileSystem": {
"directory": "<directory to store the tokens in if using a file system token store (default)>"
},
"azureBlobStorage": {
"sasUrlSettingName": "<app setting name containing the sas url for the Azure Blob Storage if opting to use that for a token store>"
}
},
"preserveUrlFragmentsForLogins": <true|false>,
"allowedExternalRedirectUrls": [
"https://uri1.azurewebsites.net/",
"https://uri2.azurewebsites.net/",
"url_scheme_of_your_app://easyauth.callback"
],
"cookieExpiration": {
"convention": "FixedTime|IdentityDerived",
"timeToExpiration": "<timespan>"
},
"nonce": {
"validateNonce": <true|false>,
"nonceExpirationInterval": "<timespan>"
}
},
"identityProviders": {
"azureActiveDirectory": {
"enabled": <true|false>,
"registration": {
"openIdIssuer": "<issuer url>",
"clientId": "<app id>",
"clientSecretSettingName": "APP_SETTING_CONTAINING_AAD_SECRET",
},
"login": {
"loginParameters": [
"paramName1=value1",
"paramName2=value2"
]
},
"validation": {
"allowedAudiences": [
"audience1",
"audience2"
]
}
},
"facebook": {
"enabled": <true|false>,
"registration": {
"appId": "<app id>",
"appSecretSettingName": "APP_SETTING_CONTAINING_FACEBOOK_SECRET"
},
"graphApiVersion": "v3.3",
"login": {
"scopes": [
"public_profile",
"email"
]
},
},
"gitHub": {
"enabled": <true|false>,
"registration": {
"clientId": "<client id>",
"clientSecretSettingName": "APP_SETTING_CONTAINING_GITHUB_SECRET"
},
"login": {
"scopes": [
"profile",
"email"
]
}
},
"google": {
"enabled": true,
"registration": {
"clientId": "<client id>",
"clientSecretSettingName": "APP_SETTING_CONTAINING_GOOGLE_SECRET"
},
"login": {
"scopes": [
"profile",
"email"
]
},
"validation": {
"allowedAudiences": [
"audience1",
"audience2"
]
}
},
"twitter": {
"enabled": <true|false>,
"registration": {
"consumerKey": "<consumer key>",
"consumerSecretSettingName": "APP_SETTING_CONTAINING TWITTER_CONSUMER_SECRET"
}
},
"apple": {
"enabled": <true|false>,
"registration": {
"clientId": "<client id>",
"clientSecretSettingName": "APP_SETTING_CONTAINING_APPLE_SECRET"
},
"login": {
"scopes": [
"profile",
"email"
]
}
},
"openIdConnectProviders": {
"<providerName>": {
"enabled": <true|false>,
"registration": {
"clientId": "<client id>",
"clientCredential": {
"clientSecretSettingName": "<name of app setting containing client secret>"
},
"openIdConnectConfiguration": {
"authorizationEndpoint": "<url specifying authorization endpoint>",
"tokenEndpoint": "<url specifying token endpoint>",
"issuer": "<url specifying issuer>",
"certificationUri": "<url specifying jwks endpoint>",
"wellKnownOpenIdConfiguration": "<url specifying .well-known/open-id-configuration endpoint - if this property is set, the other properties of this object are ignored, and authorizationEndpoint, tokenEndpoint, issuer, and certificationUri are set to the corresponding values listed at this endpoint>"
}
},
"login": {
"nameClaimType": "<name of claim containing name>",
"scopes": [
"openid",
"profile",
"email"
],
"loginParameterNames": [
"paramName1=value1",
"paramName2=value2"
],
}
},
//...
}
}
}