无法从AAD获取承载令牌以使用Web API [英] Unable to get bearer token from AAD to consume Web API

问题描述

我试图保护我的Web API应用程序，以便只有特定的用户和应用程序才能使用这些服务.我遵循了许多不同的说明，这些说明建议我具有以下代码进行身份验证(我将其简化为可以在控制台应用程序中轻松重现的代码):

I am attempting to secure my Web API applications such that only specific users and applications can consume the services. I have followed many different instructions that have suggested that I have the following code to authenticate (I have simplified this to be easily reproducible in a Console application):

class Program
{
    private const string ServicesClientId = "11111111-1111-1111-1111-111111111111";
    private const string ClientId = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa";
    private const string ClientKey = "abcdefghijklmnopqrstuvwxyz1234567890=";
    private const string AadLoginUri = "https://login.windows.net/{0}";
    private const string TenantId = "example.onmicrosoft.com";

    private static readonly string Authority = string.Format(CultureInfo.InvariantCulture, AadLoginUri, TenantId);

    static void Main(string[] args)
    {
        var clientCredential = new ClientCredential(ClientId, ClientKey);
        var context = new AuthenticationContext(Authority, false);

        // This line fails!
        var appAuthResult = context.AcquireToken(ServicesClientId, clientCredential);
        // AADSTS50105: Application 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not
        // assigned to a role for the application '11111111-1111-1111-1111-111111111111'.

        var appAuthTokenProvider = new ApplicationTokenProvider(context, "https://example.azurewebsites.net", clientCredential, appAuthResult);
        var tokenCreds = new TokenCredentials(appAuthTokenProvider);

        Console.WriteLine(tokenCreds.ToString());
        Console.ReadLine();
    }
}

因此，只要禁用了用户分配但启用了用户分配，此代码就可以很好地工作(并且您需要等待一分钟，因为即使它说成功启用，它似乎也不会立即生效)，失败.

So this code works beautifully as long as user assignment is disabled but the moment that user assignment is enabled (and you wait a minute as it doesn't appear to be effective instantly even though it says it was successfully enabled), it fails.

我收到以下错误:

AADSTS50105:应用程序"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaaaa"不是 分配给应用程序的角色 '11111111-1111-1111-1111-111111111111'.

AADSTS50105: Application 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not assigned to a role for the application '11111111-1111-1111-1111-111111111111'.

我该怎么做才能使它正常工作?

我已经尝试了各种各样的事情来使它消失而没有运气.我尝试过的事情:

I have tried and tried all sorts of things to get this to go away without luck. Things I have tried:

1. 将我的注册客户端的默认访问MyWebAPI"权限添加到注册的Web API项目中
2. 更改Web API应用程序的清单以添加应用程序角色: { "allowedMemberTypes": [ "Application" ], "displayName": "Universal App Client", "id": "c27e3fa1-e96a-445c-aaf7-8cbb60cca980", "isEnabled": true, "description": "Application Consuming all Services.", "value": "AppClient" } ，然后将应用程序权限(在注册的消费应用程序上)设置为具有此新的通用应用程序客户端"权限.
3. 更改Web API应用程序的清单以在knownClientApplications数组下添加使用方应用程序的客户端ID.
4. 我已经多次重新配置了我的Web API应用程序，以防万一通过故障排除过程弄糟了它，但我总是以
5. 在摸摸肚子的同时拍我的头.

1. Adding the default "Access MyWebAPI" permission from my registered client to the registered Web API project
2. Changing the manifest for the Web API application to add an App Role: { "allowedMemberTypes": [ "Application" ], "displayName": "Universal App Client", "id": "c27e3fa1-e96a-445c-aaf7-8cbb60cca980", "isEnabled": true, "description": "Application Consuming all Services.", "value": "AppClient" } and then setting the Application Permission (on the registered consuming application) to have this new "Universal App Client" permission.
3. Changing the manifest for the Web API application to add the consuming application's Client ID under the knownClientApplications array.
4. I have reprovisioned my Web API application several times in case I goofed it up via the troubleshooting process but I always end up
5. Patting my head while rubbing my stomach.

我不确定下一步该怎么做.

I'm not sure what to try next.

出于参考目的，这是我的packages.config文件:

For reference purposes, here is my packages.config file:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="2.28.1" targetFramework="net46" />
  <package id="Microsoft.Rest.ClientRuntime" version="1.8.2" targetFramework="net46" />
  <package id="Microsoft.Rest.ClientRuntime.Azure.Authentication" version="0.11.3" targetFramework="net46" />
  <package id="Newtonsoft.Json" version="9.0.1" targetFramework="net46" />
</packages>

此问题类似于

This question is similar to this other question but the answer to that question (reprovision & redeploy it) does not work for me, as mentioned above.

推荐答案

我也可以重现此问题.我发现当我向应用程序角色授予Web API时，可能未按预期授予该角色.这是供您参考的图:

I could reproduce this issue too. I found when I grant the application role the web API, the role maybe not granted as expected. Here is figure for your reference:

作为限制用户和应用程序的一种解决方法，我们可以在Web API中对其进行编码以自行实现令牌处理程序.例如，我们可以配置允许的用户，应用程序，然后解析访问令牌以检索appid和upn进行验证.有关自定义令牌处理程序的详细信息，您可以参考

As a workaround to limit the users and applications, we can code it in the web API to implement the token handler ourselves. For example, we can config the allowed users, applications and then parse the access token to retrieve the appid and upn to verify it. More detail about custom token handler, you can refer this thread.

对于原始问题，我还试图在内部进行报告.

And for the original issue, I am also trying to report it internally.

这篇关于无法从AAD获取承载令牌以使用Web API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！