AADSTS50013:断言受众声明不符合要求的值 [英] AADSTS50013: Assertion audience claim does not match the required value
问题描述
我有一个单页面应用程序,该应用程序使用adal-angular.js / adal.js [client]在Azure中对用户进行身份验证。
返回的令牌插入到auth标头中,并传递给Web API [服务器]。该Web api使用代表工作流程为应用程序生成了新的访问令牌( https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof )
然后,此令牌用于调用下游API [API1]。
因此,下游API重复此过程以获取新令牌来调用另一个API [API2]。正是在这一点上,我遇到了以上错误。
I've got a single page app that authenticates users in Azure using adal-angular.js/adal.js [client].
The returned token is inserted into the auth header and passed to a web API [server]. This web api generates a new access token for the app using the on-behalf-of workflow (https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof)
This token is then used to call a downstream API [API1].
So the downstream API then repeats this process to get a new token to call another API [API2]. It's at this point that I'm getting the above error.
从[客户端]传递到[服务器]的令牌中的aud值是[服务器]应用。
从[服务器]传递到[API1]的令牌中的aud值是[API1]应用程序的应用程序URI。
到目前为止一切都很好。
The aud value in the token passed from [client] to [server] is the application id of the [server] app. The aud value in the token passed from the [server] to [API1] is the Application URI of the [API1] app. So far so good.
当我在[API1]应用中调用AcquireTokenAsync时,出现以下错误:
When I call AcquireTokenAsync in [API1] app, I get the following error:
AADSTS70002:验证凭据时出错。 AADSTS50013:断言受众声明与所需值不匹配。断言中的受众是 http:// application_uri .com /,预期的受众是 snip -a1d5-e82e84f4e19e或该应用的Uris之一应用程序ID为 snip -a1d5-e82e84f4e19e的应用
AADSTS70002: Error validating credentials. AADSTS50013: Assertion audience claim does not match the required value. The audience in the assertion was 'http://application_uri.com/' and the expected audience is 'snip-a1d5-e82e84f4e19e' or one of the Application Uris of this application with App ID 'snip-a1d5-e82e84f4e19e'
[API1]中的相关代码:
The relevant code from [API1]:
public static async Task<string> GetApplicationTokenOnBehalfOfUser(string appId, string appKey)
{
var clientCredential = new ClientCredential(appId, appKey);
var bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as
System.IdentityModel.Tokens.BootstrapContext;
var userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null ? ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
var userAccessToken = bootstrapContext.Token;
var userAssertion = new UserAssertion(userAccessToken, _assertionType, userName);
var authority = string.Format(System.Globalization.CultureInfo.InvariantCulture, _aadInstance, _tenant);
var userId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
var authContext = new AuthenticationContext(authority, new TokenCache());
var result = await authContext.AcquireTokenAsync(_resourceId, clientCredential, userAssertion);
var accessToken = result.AccessToken;
return accessToken;
}
其中:
appId = snip -a1d5-e82e84f4e19e
Where: appId = "snip-a1d5-e82e84f4e19e"
BootstrapContext.Token中的 aud值是:
aud: http:// application_uri .com /
And the "aud" value from the BootstrapContext.Token is: "aud": "http://application_uri.com/"
如果我更改上述内容以将令牌中的 aud值用作ClientCredential中的appId,则会收到此错误而是:
If I change the above to use the "aud" value from the token as the appId in the ClientCredential, I get this error instead:
AADSTS65001:用户或管理员未同意使用ID为'http:// application_uri .com的应用程序/'。发送对此用户和资源的交互式授权请求。
AADSTS65001: The user or administrator has not consented to use the application with ID 'http://application_uri.com/'. Send an interactive authorization request for this user and resource.
我这样做正确吗?
谢谢。
Am I doing this right? Thanks.
推荐答案
为使此工作正常进行,我必须向AP1的API1添加以下委托权限。
天蓝色权限
To get this working I had to add the following delegated permissions to API1 for AP2. Azure Permissions
这篇关于AADSTS50013:断言受众声明不符合要求的值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!