Azure AAD - 受众无效 [英] Azure AAD - The audience is invalid
问题描述
我创建了一个使用 azure 活动目录保护的 webapi.我现在需要对此进行测试并尝试使用带有授权标头的提琴手.我正在尝试使用以下代码生成令牌.
I have create a webapi secured with azure active directory. I need to test this now and trying to use fiddler with an authorization header. I am trying to generate the token with below code.
Target obj = (Target)cmbTarget.SelectedItem;
AuthenticationResult authenticationResult;
string aadInstance = obj.AADInstance; // "https://login.windows.net/{0}";
string tenant = obj.Tenant; //"rudderless.onmicrosoft.com";
string apiResourceId = obj.ApiResourceId; //"15b4ac7f-23a8-4958-96a5-64159254690d";
string clientId = obj.ClientId; // "47cdc6c3-226a-4c38-b08e-055be8409056";
Uri redirectUri = new Uri(obj.RedirectUri); //new Uri("http://nativeclient");
string authority = string.Format(aadInstance, tenant);
authContext = new AuthenticationContext(authority);
authenticationResult = this.authContext.AcquireToken(apiResourceId,
clientId, redirectUri, PromptBehavior.Always);
txtToken.Text = authenticationResult.AccessToken;
Clipboard.SetText($"Bearer {txtToken.Text}");
我成功生成了令牌,当我使用令牌调用 webapi 时,它会抛出 401 消息
I get the token generated successfully and when I am using the token to call the webapi it throwing 401 with message
WWW-Authenticate: Bearer error="invalid_token", error_description="The观众无效"
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience is invalid"
推荐答案
我认为重新审视身份验证的不同步骤很重要,希望通过讨论您能够解决您遇到的问题.
I think it is important to revisit the different steps of authentication, and hopefully through the discussion you will be able to solve the issue you are having.
当客户端尝试获取资源的访问令牌时,它需要向 AAD 指定它想要获取令牌的资源.一个客户端可能被配置为调用多个资源,所有资源都具有不同的配置,因此期望资源始终在访问令牌请求中指定.
When a client is trying to get an access token to a resource, it needs to specify to AAD which resource it wants to get a token for. A client may be configured to call multiple resources, all with different configurations, so it is an expectation that the resource is always specified in an Access Token Request.
资源可以是资源的 App ID GUID,也可以是在资源上注册的有效 App ID URI.AAD 应该能够根据您提供的价值唯一地识别您尝试访问的资源.但是,请注意,如果您使用 App ID GUID,您将从 AAD 获得一个令牌,其中 Audience 声明是 App ID GUID.或者,如果您使用 App ID URI,您将看到该 URI 作为令牌中的受众声明.
The resource can either be an App ID GUID for the Resource, or a valid App ID URI which is registered on the Resource. AAD should be able to uniquely identify which resource you are trying to reach based on the value you provide. However, note that if you use an App ID GUID, you will get a token from AAD where the Audience claim is the App ID GUID. Alternatively, if you use an App ID URI, you will see that URI as the audience claim in the token.
在这两种情况下,您都会获得相同"资源的令牌,但令牌中的声明会以不同的方式出现.此外,单个应用程序资源可能在其应用程序上注册了多个 App ID URI.根据您在身份验证请求中使用哪一个,您将在令牌中获得与您传入的资源参数匹配的不同受众声明.
In both situations, you will get a token for the 'same' resource, but the claim in the token will appear differently. Additionally, it may be possible that a single application resource may have multiple App ID URIs registered on their app. Depending on which one you use in the authentication request, you will get a different audience claim in the token which matches the resource parameter you passed in.
最后,一旦您获得令牌,就将其发送到资源 API,后者将对令牌进行多项验证,例如:客户端 ID 声明、范围/角色声明、身份验证方法 ('acr' 声称),并且肯定观众声称符合他们的期望!
Finally, once you get the token, you send it over to the Resource API who will validate the token for a number of things, such as: the Client ID Claim, the Scopes/Roles Claims, the authentication method ('acr' claim), and definitely that the audience claim matches what they expect!
这意味着资源 API 最终需要说我接受
This means that the Resource API ultimately needs to say "I accept < App ID GUID > as a valid Audience Claim"... or "I accept < App ID URI > as a valid Audience Claim". This kind of logic may be built into the library you are using (like OWIN), but you need to make sure that on your API side, you have it configured correctly for the Audiences you expect. You could, if you wanted, make it so that your API does not check the Audience claim at all! All the claims in the token are plaintext, and thus you could really do whatever you want, but you would not have a very secure API in that situation :]
一天结束,我的预感是这个错误来自你自己的 API,它发生是因为你没有将你的应用配置为接受与你的资源的应用 ID GUID 匹配的受众声明(它看起来像当您获得基于您的代码示例的令牌时,您正在传递).
End of the day, my hunch is that this error is coming from your own API, and it is happening because you have not configured your app to accept an Audience claim which matches your Resource's App ID GUID (which it looks like what you are passing when you are getting a token based on your code sample).
希望这能解决你的问题!
I hope this solves your issue!
这篇关于Azure AAD - 受众无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
