无法使用不记名令牌访问 AAD 安全 Web API [英] Unable to use bearer token to access AAD-secure Web API
问题描述
我有一个使用 Azure AD (AAD) 保护的 API 应用.我还有一个用于消费应用程序的 AAD 应用程序,并且在消费应用程序中我设置了访问 API 应用程序的权限.
I have an API app secured with Azure AD (AAD). I also have an AAD application for a consuming application, and in the consuming application I have set up permissions to access the API app.
我能够获得一个令牌,但是当我去使用该令牌时,API 应用程序似乎没有查看 Authorization 标头.它试图通过网络浏览器让我登录.
I am able to get a token, but when I go to use the token, the API app doesn't seem to look at the Authorization header. It tries to log me in via web browser.
我的请求如下所示:
GET /api/ticketing/issueTopics HTTP/1.1
Host: <removed>
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGc<rest is removed>
Cache-Control: no-cache
我在 Postman 中得到的结果是一些 MS 重定向页面:
The result I get in Postman is some MS redirect page:
<html>
<head>
<title>Working...</title>
</head>
<body>
<form method="POST" name="hiddenform" action="<removed>/.auth/login/aad/callback">
<input type="hidden" name="id_token" value="<bearer token removed>" />
<input type="hidden" name="state" value="/api/ticketing/issueTopics" />
<input type="hidden" name="session_state" value="<removed>" />
<noscript>
<p>Script is disabled. Click Submit to continue.</p>
<input type="submit" value="Submit" />
</noscript>
</form>
<script language="javascript">document.forms[0].submit();</script>
</body>
我删除的不记名令牌在反序列化时包含我的信息,而不是我的消费应用程序.所以,它试图对我进行身份验证,而不是使用不记名令牌进行身份验证.
The bearer token I removed, when deserialized, has my information in it, not my consuming application. So, it's trying to authenticate me, rather than using the bearer token to authenticate.
任何想法如何解决这个问题?
Any ideas how to fix this?
更新 1
通过更新,我拉下了与我的消费应用程序相关的 servicePrincipal 数据,它清楚地表明消费应用程序应该能够与 API 应用程序通信.
By means of update, I pulled down the servicePrincipal data related to my consuming application, and it clearly says the consuming app should be able to talk to the API app.
"oauth2Permissions": [{
"adminConsentDescription": "Allow the application to access Ticketing API on behalf of the signed-in user.",
"adminConsentDisplayName": "Access Ticketing API",
"id": "<removed>",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access Ticketing API on your behalf.",
"userConsentDisplayName": "Access Ticketing API",
"value": "user_impersonation"
}]
更新 2
我制作了一个控制台应用程序来尝试这种方式.我收到了 401(未经授权).
I made a console app to try it that way. I got a 401 (Unauthorized).
一个有趣的观察是,如果我去 jwt.io 并粘贴我的令牌,它可以反序列化它,但它也说令牌无效(无效签名).不知道这意味着什么.
An interesting observation is that if I go to jwt.io and paste my token in, it is able to deserialize it, but it also says the token is invalid (Invalid Signature). Not sure what that implies.
推荐答案
在弄清楚如何打开详细日志记录并通过它们倾泻而出之后,我发现了这个问题.
I figured out the issue after figuring out how to turn on detailed logging and pouring through them.
MSDN 上的文档说将资源"作为 App ID Uri 传递.但您实际上需要将客户端 ID 作为资源"的值传递.一旦我改变了它,一切都运行良好.
Documentation on MSDN says to pass "resource" as the App ID Uri. But you actually need to pass the Client ID as the value for "resource." Once I changed that, everything worked perfectly.
我在 LogFilesApplication 的一个 txt 文件中找到了这个.
I found this in a txt file in LogFilesApplication.
2016-07-12T15:48:39 PID[8584] Warning JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://<removed>.azurewebsites.net'. Did not match: validationParameters.ValidAudience: '0b61abb8-59...7-6046c22f9c92' or validationParameters.ValidAudiences: 'null'.
我查看的文档不正确:
https://msdn.microsoft.com/en-us/图书馆/合作伙伴中心/dn974935.aspxhttps://msdn.microsoft.com/en-us/library/azure/dn645543.aspx(这是最大的违规者,因为它完全符合我对错误信息的要求)
https://msdn.microsoft.com/en-us/library/partnercenter/dn974935.aspx https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx (this was the biggest offender as it does exactly what I want to do with incorrect information)
这篇关于无法使用不记名令牌访问 AAD 安全 Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
