POSTMAN:“您无权查看此目录或页面"带有不记名令牌 [英] POSTMAN: "You do not have permission to view this directory or page" with Bearer Token
问题描述
我有一个托管在 HostGator 上的网站,假设它的域是 https://example.com.
我还有一个托管在 Azure 上的应用程序,在整个站点(包括 API 组件)上启用了 Active Directory 身份验证,假设它的域是 https://example.azurewebsites.net
目标 - 在 https://example.com 上执行 PHP 文件(作为 CRON 作业)并首先使用 Azure 验证文件本身Active Directory,然后通过 HTTP GET 调用从 https://example.azurewebsites.net/api/getValues 中提取数据.
问题 - 显然,仅在没有承载令牌的情况下调用 API 会导致 401,但我仍然得到 401即使我传递的似乎是一个有效的不记名令牌.
这就是我所做的:
使用
如您所见,它返回了上面看到的令牌 ^.
然后我拿了这个令牌并通过另一个 Postman 调用:
但问题是,我仍然收到确切的错误消息:
<块引用>您无权查看此目录或页面.
我觉得我已经尝试了一切.我什至进入了 portal.azure 并设置了允许的令牌受众":
任何人都知道我可以更改任何设置以允许发生这种呼叫吗?
evilSnobu 已经解释了这个问题是由于观众不正确造成的.我想更笼统地解释一下,以帮助理解这个问题.
OAuth 2.0授权框架中有客户端和资源服务器两个概念(参考rfc6749).当客户端调用资源服务器时,资源服务器会验证请求中传入的token.例如,它将验证签名、颁发者、客户端 ID、受众等.
<块引用>客户:代表受保护资源请求的应用程序资源所有者及其授权.术语客户"做不暗示任何特定的实现特征(例如,应用程序是否在服务器、桌面或其他设备上执行设备).
<块引用>
资源服务器:托管受保护资源的服务器,能够接受并使用访问令牌响应受保护的资源请求.
在您的场景中,您获得了 Azure AD Graph (https://graph.windows.net) 的 access_token.但是,您在门户中配置的受众与 access_token 中的 aud 声明不匹配.要解决此问题,我们可以将在 Azure AD 中注册的应用用作客户端和资源.如果是这样,我们需要使用 Application ID 而不是 App ID URI 获取访问令牌.并将此值配置为 Azure 门户上的 ALLOWED TOKEN AUDIENCES.
或者我们可以只在 Azure AD 中注册两个应用,分别代表客户端应用和资源应用.并使用客户端应用程序获取资源应用程序的令牌.如果是这样,resource 的值应该是资源应用的App ID URI,我们还需要将其配置为ALLOWED TOKEN AUDIENCESAzure 门户.
I've got a website hosted on HostGator, let's say it's domain is https://example.com.
I also have an application hosted on Azure, with Active Directory Authentication enabled on the entire site (including the API component), let's say it's domain is https://example.azurewebsites.net
THE GOAL - To have a PHP file be executed (as a CRON job) on https://example.com and have the file first Authenticate itself with Azure's Active Directory, and then to pull data from https://example.azurewebsites.net/api/getValues via an HTTP GET call.
THE PROBLEM - Obviously, just calling the API without a bearer token will cause a 401, but I'm still getting a 401 even though I'm passing in what appears to be a valid Bearer Token.
Here's what I did:
I visited https://login.microsoftonline.com/{{tenant_id}}/oauth2/authorize?response_type=code&client_id={{client_id}} that was given to me through Azure AD Management Portal.
This returned:
https://example.com/?code={{really_long_string_of_code}}
I took this really_long_string_of_code and put it through postman as a body parameter called code, seen below:
As you can see, it returned the token seen above ^.
I then took this token and put it through another Postman call:
But the problem is, I still get that exact error message:
You do not have permission to view this directory or page.
I feel like I've tried everything. I've even went into the portal.azure and set the "allowed token audiences":
Anyone know any settings I can change to allow this sort of call to happen?
The evilSnobu have already explained this issue which caused by incorrect audience. I want to explain it more general to help understand this issue.
There are two concepts client and resource server in the OAuth 2.0 Authorization Framework(refer rfc6749). When the client calls the resource server, the resource server will verify the token passed in the request. For example, it will verify the signature, issuer, client id, audience etc.
client: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
In your scenario, you were acquire the access_token for the Azure AD Graph(https://graph.windows.net). However, the audience you config at the portal doesn't match the aud claim in the access_token. To fix the issue, we can use the app registered at Azure AD as both client and resource. If that, we need to acquire the access token using the Application ID instead of App ID URI. And config this value as the ALLOWED TOKEN AUDIENCES on the Azure portal.
Or we can just to register two apps in Azure AD to represent the client app and resource app separately. And using the client app to acquire the token for the resource app. If this, the value of resource should the App ID URI of resource app and we also need to config it as the ALLOWED TOKEN AUDIENCES on the Azure portal.
这篇关于POSTMAN:“您无权查看此目录或页面"带有不记名令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
