当我期望https://login.microsoftonline.com时,来自天蓝色活动目录的访问令牌中的颁发者为https://sts.windows.net [英] Issuer in access token from azure active directory is https://sts.windows.net when I'm expecting https://login.microsoftonline.com
问题描述
我正在尝试验证从azure活动目录获得的访问令牌.
I'm trying to validate an access token obtained from azure active directory.
我从 https://login.microsoftonline.com/ {
The I obtained the token from https://login.microsoftonline.com/{{my tennant guid}}/v2.0
但是返回的令牌中的发行者为 https://sts.windows.net// {{我的tennant guid}}/匹配.
however the issuer in the token that comes back is https://sts.windows.net//{{my tennant guid}}/ which doent match.
如果我在.well-known/openid-configuration中检查该配置,则发行者符合预期 https://login.microsoftonline.com/ ....
If I check that config at .well-known/openid-configuration the issuer is as expected https://login.microsoftonline.com/....
我在这里的git hub上报告了类似的问题https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560
I've found a similar issue reported on git hub here https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560
此操作的结果是在AAD的应用程序注册中手动编辑清单json并设置"accessTokenAcceptedVersion":2
the outcome from this is to manually edit the manifest json in the application registration in AAD and set "accessTokenAcceptedVersion": 2
我已经做到了,但这没什么区别.
I've done this but it has made no difference.
我在堆栈溢出上也看到过类似的问题,但这些问题与租赁指南的差异有关-情况并非如此.
I've also seen similar questions here on stack overflow but these are related to a difference in the tenancy guid - that is not the case here.
推荐答案
似乎清单中将acceptedTokenVersion更改为2确实发生了变化,但是生效只是花时间.
So seems that changing the acceptedTokenVersion to 2 in the manifest did change but it just took time to take effect.
是的,根据我在v2令牌中的测试,受众始终是客户端ID.
And yes the audience is always the client id based on my tests in v2 tokens.
这篇关于当我期望https://login.microsoftonline.com时,来自天蓝色活动目录的访问令牌中的颁发者为https://sts.windows.net的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!