Azure AAD-观众无效 [英] Azure AAD - The audience is invalid
问题描述
我已经创建了一个用azure活动目录保护的webapi.我现在需要对此进行测试,并尝试将提琴手与授权标头一起使用.我正在尝试使用以下代码生成令牌.
I have create a webapi secured with azure active directory. I need to test this now and trying to use fiddler with an authorization header. I am trying to generate the token with below code.
Target obj = (Target)cmbTarget.SelectedItem;
AuthenticationResult authenticationResult;
string aadInstance = obj.AADInstance; // "https://login.windows.net/{0}";
string tenant = obj.Tenant; //"rudderless.onmicrosoft.com";
string apiResourceId = obj.ApiResourceId; //"15b4ac7f-23a8-4958-96a5-64159254690d";
string clientId = obj.ClientId; // "47cdc6c3-226a-4c38-b08e-055be8409056";
Uri redirectUri = new Uri(obj.RedirectUri); //new Uri("http://nativeclient");
string authority = string.Format(aadInstance, tenant);
authContext = new AuthenticationContext(authority);
authenticationResult = this.authContext.AcquireToken(apiResourceId,
clientId, redirectUri, PromptBehavior.Always);
txtToken.Text = authenticationResult.AccessToken;
Clipboard.SetText($"Bearer {txtToken.Text}");
我成功获取了令牌,并且当我使用令牌调用webapi时,它会在消息401中抛出
I get the token generated successfully and when I am using the token to call the webapi it throwing 401 with message
WWW-Authenticate:承载错误="invalid_token",error_description ="The观众无效"
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience is invalid"
推荐答案
我认为重访身份验证的不同步骤很重要,希望通过讨论您能够解决您遇到的问题.
I think it is important to revisit the different steps of authentication, and hopefully through the discussion you will be able to solve the issue you are having.
当客户端尝试获取对资源的访问令牌时,它需要向AAD指定要为其获取令牌的资源.可以将一个客户端配置为调用多个资源,而所有资源都具有不同的配置,因此可以期望总是在访问令牌请求中指定该资源.
When a client is trying to get an access token to a resource, it needs to specify to AAD which resource it wants to get a token for. A client may be configured to call multiple resources, all with different configurations, so it is an expectation that the resource is always specified in an Access Token Request.
资源可以是资源的应用程序ID GUID,也可以是在资源上注册的有效应用程序ID URI.AAD应该能够根据您提供的价值来唯一标识要尝试获取的资源.但是,请注意,如果您使用App ID GUID,则会从AAD获得令牌,其中受众声明是App ID GUID.另外,如果您使用App ID URI,则会在令牌中看到该URI作为受众声明.
The resource can either be an App ID GUID for the Resource, or a valid App ID URI which is registered on the Resource. AAD should be able to uniquely identify which resource you are trying to reach based on the value you provide. However, note that if you use an App ID GUID, you will get a token from AAD where the Audience claim is the App ID GUID. Alternatively, if you use an App ID URI, you will see that URI as the audience claim in the token.
在两种情况下,您都将获得相同"资源的令牌,但是令牌中的声明将以不同的方式出现.此外,单个应用程序资源可能在其应用程序上注册了多个应用程序ID URI.根据您在身份验证请求中使用的身份,您将在令牌中获得与您传入的资源参数相匹配的其他受众声明.
In both situations, you will get a token for the 'same' resource, but the claim in the token will appear differently. Additionally, it may be possible that a single application resource may have multiple App ID URIs registered on their app. Depending on which one you use in the authentication request, you will get a different audience claim in the token which matches the resource parameter you passed in.
最后,一旦获得令牌,就将其发送到Resource API,后者将对令牌进行多种验证,例如:客户ID声明,范围/角色声明,身份验证方法('acr"),并确定确定受众群体声明符合他们的期望!
Finally, once you get the token, you send it over to the Resource API who will validate the token for a number of things, such as: the Client ID Claim, the Scopes/Roles Claims, the authentication method ('acr' claim), and definitely that the audience claim matches what they expect!
这意味着Resource API最终需要说我接受
This means that the Resource API ultimately needs to say "I accept < App ID GUID > as a valid Audience Claim"... or "I accept < App ID URI > as a valid Audience Claim". This kind of logic may be built into the library you are using (like OWIN), but you need to make sure that on your API side, you have it configured correctly for the Audiences you expect. You could, if you wanted, make it so that your API does not check the Audience claim at all! All the claims in the token are plaintext, and thus you could really do whatever you want, but you would not have a very secure API in that situation :]
最后,我的直觉是该错误来自您自己的API,并且正在发生,因为您尚未将您的应用配置为接受与您的资源的应用ID GUID匹配的受众声明您会根据代码示例获得令牌时就通过了.
End of the day, my hunch is that this error is coming from your own API, and it is happening because you have not configured your app to accept an Audience claim which matches your Resource's App ID GUID (which it looks like what you are passing when you are getting a token based on your code sample).
我希望这能解决您的问题!
I hope this solves your issue!
这篇关于Azure AAD-观众无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
