Azure AD B2C错误-IDX10501:签名验证失败 [英] Azure AD B2C error - IDX10501: Signature validation failed
问题描述
我在尝试使用Azure AD B2C验证My Web API时遇到困难. 我将从一些背景开始
I'm having hard times trying to use Azure AD B2C to authenticate My Web API. I'll start with some background
我创建了使用Azure AD B2C对用户进行身份验证的移动应用程序.我正在创建一个显示以下URL的WebView:
I created mobile application which is using Azure AD B2C to authenticate users. I'm creating a WebView which display this url:
要求用户登录到azure广告,如果登录数据成功,则我收到包含访问令牌的响应-这部分进行得很顺利,一切正常.
User is asked to login to azure ad, if the login data is successfull i'm receiving a response containing the access token - this part went smooth, everything works properly.
现在,我想创建后端Web Api.我创建了ASP NET Core Web应用程序,该应用程序允许我选择身份验证方法.我选择Azure AD身份验证,因此模板为我生成了所有必需的数据.代码中的相关部分在这里:
Now i want to create backend Web Api. I created ASP NET Core Web application which allows me to choose authentication method. I choose the Azure AD authentication so the template generated all required data for me. The relevant part in the code is here:
我更新了所有必需的配置属性以匹配我的天蓝色设置.在这一点上,我希望能够使用在移动应用程序上收到的访问令牌来调用API.我在本地运行移动应用程序,登录后收到访问令牌,将其复制并尝试使用邮递员(授权标头为"Bearer ...")调用我的Web api(托管在IIS express中).不幸的是,没有运气-我收到带有以下标头的401:
I updated all required config properties to match my azure settings. At this point i would expect to be able to call the API using access token i received on the mobile app. I run mobile app locally, signed in, received access token, copied it and tried to call my web api(hosted in IIS express) using postman ( with authorization header "Bearer ..." ). Unfortunately with no luck - i'm receiving 401 with following header:
bearer error ="invalid_token",error_description =签名密钥为 找不到"
Bearer error="invalid_token", error_description="The signature key was not found"
我认为令牌足以授权API-我理解这是OAuth的重点.我想念什么吗?我应该有一些其他配置吗?我注意到配置缺少登录策略(这似乎是AD B2C名称所必需的,因此我尝试添加以下内容:
I thought token is enough to Authorize the API - i understand this is a whole point of OAuth. Am i missing something ? Should i have some additional config ? I Noticed the config is missing the sign in policy ( which seems to be required by AD B2C name so i tried adding that:
var validationParameters = new TokenValidationParameters
{
AuthenticationType = "MY_POLICY",
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
Audience = Configuration["Authentication:AzureAd:Audience"],
TokenValidationParameters = validationParameters
});
但是这也不起作用.将不胜感激.
But this didn't work too. Will appreciate any help.
编辑
我在Visual Studio日志中发现以下错误:
I found following error in Visual Studio logs:
承载者未通过身份验证.失败消息:IDX10501:签名 验证失败.无法匹配孩子":"..."
Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match 'kid': '...'
推荐答案
@juunas评论有助于我发现问题.我用提琴手检查了传出的请求,并通过这段代码发现了这一点:
@juunas comment help me to find the issue. I inspected outgoing requests with fiddler and i found that with this piece of code:
Authority = Configuration ["Authentication:AzureAd:AADInstance"] + Configuration ["Authentication:AzureAd:TenantId"]
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"]
请求已发送到以下地址:
The request was being send to following address:
https://login.microsoftonline.com/MYTENANTID/.well-已知/openid配置
以上有两个问题:
- 它没有使用v2端点. B2C的正确链接应始终使用v2,因此它看起来像:
https://login.microsoftonline.com/MYTENANTID/ v2.0 /.众所周知/openid配置
https://login.microsoftonline.com/MYTENANTID/v2.0/.well-known/openid-configuration
- 它没有在链接中添加登录策略(即使我在令牌选项中进行了设置)
我设法通过删除"Authority"参数并将configure auth函数更改为以下内容来使其起作用:
I managed to make it work with removing "Authority" parameter and changing the configure auth function to following:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
MetadataAddress = string.Format("https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration?p={1}",
Configuration["Authentication:AzureAd:TenantId"], "MYPOLICY"),
AuthenticationScheme = "MYPOLICY",
Audience = Configuration["Authentication:AzureAD:ClientId"],
});
这篇关于Azure AD B2C错误-IDX10501:签名验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!