无法使用承载令牌访问AAD安全的Web API [英] Unable to use bearer token to access AAD-secure Web API
问题描述
我有一个受Azure AD(AAD)保护的API应用程序.我还为使用中的应用程序提供了AAD应用程序,并且在使用中的应用程序中,我设置了访问API应用程序的权限.
I have an API app secured with Azure AD (AAD). I also have an AAD application for a consuming application, and in the consuming application I have set up permissions to access the API app.
我能够获得令牌,但是当我使用令牌时,API应用程序似乎没有查看Authorization标头.它会尝试通过网络浏览器登录.
I am able to get a token, but when I go to use the token, the API app doesn't seem to look at the Authorization header. It tries to log me in via web browser.
我的请求如下:
GET /api/ticketing/issueTopics HTTP/1.1
Host: <removed>
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGc<rest is removed>
Cache-Control: no-cache
我在Postman中得到的结果是一些MS重定向页面:
The result I get in Postman is some MS redirect page:
<html>
<head>
<title>Working...</title>
</head>
<body>
<form method="POST" name="hiddenform" action="<removed>/.auth/login/aad/callback">
<input type="hidden" name="id_token" value="<bearer token removed>" />
<input type="hidden" name="state" value="/api/ticketing/issueTopics" />
<input type="hidden" name="session_state" value="<removed>" />
<noscript>
<p>Script is disabled. Click Submit to continue.</p>
<input type="submit" value="Submit" />
</noscript>
</form>
<script language="javascript">document.forms[0].submit();</script>
</body>
反序列化时,我删除的承载令牌中包含我的信息,而不是我的消耗性应用程序.因此,它是在尝试对我进行身份验证,而不是使用不记名令牌来进行身份验证.
The bearer token I removed, when deserialized, has my information in it, not my consuming application. So, it's trying to authenticate me, rather than using the bearer token to authenticate.
有什么办法解决这个问题吗?
Any ideas how to fix this?
更新1
通过更新,我拉下了与我的消费应用程序相关的servicePrincipal数据,并明确表示该消费应用程序应该能够与API应用程序对话.
By means of update, I pulled down the servicePrincipal data related to my consuming application, and it clearly says the consuming app should be able to talk to the API app.
"oauth2Permissions": [{
"adminConsentDescription": "Allow the application to access Ticketing API on behalf of the signed-in user.",
"adminConsentDisplayName": "Access Ticketing API",
"id": "<removed>",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access Ticketing API on your behalf.",
"userConsentDisplayName": "Access Ticketing API",
"value": "user_impersonation"
}]
更新2
我制作了一个控制台应用程序来尝试这种方式.我得到了401(未经授权).
I made a console app to try it that way. I got a 401 (Unauthorized).
一个有趣的发现是,如果我去jwt.io并粘贴我的令牌,它可以反序列化它,但是它也表示该令牌无效(无效签名).不知道这意味着什么.
An interesting observation is that if I go to jwt.io and paste my token in, it is able to deserialize it, but it also says the token is invalid (Invalid Signature). Not sure what that implies.
推荐答案
在弄清楚如何打开详细的日志记录并对其进行遍历之后,我解决了这个问题.
I figured out the issue after figuring out how to turn on detailed logging and pouring through them.
MSDN上的文档说传递资源"作为App ID Uri.但是您实际上需要将客户端ID传递为资源"的值.一旦我改变了一切,一切就完美了.
Documentation on MSDN says to pass "resource" as the App ID Uri. But you actually need to pass the Client ID as the value for "resource." Once I changed that, everything worked perfectly.
我在LogFiles \ Application的txt文件中找到了此文件.
I found this in a txt file in LogFiles\Application.
2016-07-12T15:48:39 PID[8584] Warning JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://<removed>.azurewebsites.net'. Did not match: validationParameters.ValidAudience: '0b61abb8-59...7-6046c22f9c92' or validationParameters.ValidAudiences: 'null'.
我查看的文档不正确:
https://msdn.microsoft.com/en-us/库/partnercenter/dn974935.aspx https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx (这是最大的罪魁祸首,因为它正是我要对不正确的信息所做的事情)
https://msdn.microsoft.com/en-us/library/partnercenter/dn974935.aspx https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx (this was the biggest offender as it does exactly what I want to do with incorrect information)
这篇关于无法使用承载令牌访问AAD安全的Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
