asp.net核心AzureADJwtBearer颁发者验证失败 [英] asp.net core AzureADJwtBearer issuer validation failure

问题描述

我有库存文件|新品|网页| asp.net核心Web api项目模板，在其中选择了AzureAD身份验证，该模板生成了以下Startup.cs

I have the stock file | new | web | asp.net core web api project template where I selected AzureAD authentication that generated the following Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
        .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}

和以下appsettings.json

and the following appsettings.json

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "mymsdn.onmicrosoft.com",
    "TenantId": "<my azuread tenant id>",
    "ClientId": "<my azuread web app id>"
  }

我正在使用邮递员来利用公共客户端配置文件应用程序设置来获取令牌，就像我为另一个Web api设置所做的那样，该设置可以使用相同的azureAd承载令牌认证代码和设置坐标按预期工作.

I'm using postman to acquire token leveraging a public client profile app setup just as I have done for another web api setup that is working as expected with the same azureAd bearer token auth code and settings coordinates.

由于某种原因，该应用正试图验证错误的令牌发行者格式，因此我对如何纠正它感到茫然.

For some reason this app is trying to validate the wrong token issuer format and i'm at a loss as to how I correct it.

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AzureADJwtBearer was not authenticated. Failure message: IDX10205: Issuer validation failed. Issuer: 'https://login.microsoftonline.com/<my azuread tenantid>/v2.0'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://sts.windows.net/<my azuread tenantid>/'.

推荐答案

如果您为ClientId配置azuread应用程序注册条目以支持任何组织或消费者(又名microsoft帐户)而不是您的组织或组织登录，就会发现此问题.任何组织.解决方法是使用下面显示的Startup.ConfigureServices()代码的AddJwtBearer()块，而不是项目模板提供的AddAzureADBearer()块.

Turns out this issue surfaces if you configured azuread app registrations entry for your ClientId to support any organization or consumer, aka microsoft account, signins instead of just your organization or any organization. The fix was to use the AddJwtBearer() block of Startup.ConfigureServices() code shown below instead of the project template provided AddAzureADBearer() block.

public void ConfigureServices(IServiceCollection services)
{
    // if azuread app registrations entry for ClientId has "signInAudience": "AzureADMyOrg" or "AzureADMultipleOrgs" where "iss": "https://sts.windows.net/{TenantId}/"
    services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
        .AddAzureADBearer(options => //Configuration.Bind("AzureAd", options));
        {
            Configuration.Bind("AzureAd", options);
            Log.LogInformation($"the AddAzureADBearer options have been configured for ClientId = {options.ClientId}");
        });

    // if azuread app registrations entry for ClientId has "signInAudience": "AzureADandPersonalMicrosoftAccount" where "iss": "https://login.microsoftonline.com/{TenantId}/v2.0"
    services.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
        .AddJwtBearer(options =>
        {
            var azureadoptions = new AzureADOptions(); Configuration.Bind("AzureAd", azureadoptions);
            options.Authority = $"{azureadoptions.Instance}{azureadoptions.TenantId}/v2";
            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
            {
                ValidAudience = $"{azureadoptions.ClientId}",
                //ValidAudiences = new List<string> { $"{azureadoptions.ClientId}", $"api://{azureadoptions.ClientId}", $"https://myapp.azurewebsites.net/" },
                //ValidIssuer = $"https://sts.windows.net/{azureadoptions.TenantId}/" // for "signInAudience": "AzureADMyOrg" or "AzureADMultipleOrgs"
                ValidIssuer = $"{azureadoptions.Instance}{azureadoptions.TenantId}/v2.0" // for "signInAudience": "AzureADandPersonalMicrosoftAccount"
                //ValidIssuers = new List<string> { $"https://sts.windows.net/{azureadoptions.TenantId}/", $"{azureadoptions.Instance}{azureadoptions.TenantId}/v2.0" }                        
            };

            Log.LogInformation($"the AddJwtBearer options have been configured for ClientId = {azureadoptions.ClientId}");
        });
    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}

这篇关于asp.net核心AzureADJwtBearer颁发者验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！