AzureAD JWT令牌受众声明前缀使JWT令牌无效 [英] AzureAD JWT Token Audience claim prefix makes JWT Token invalid

问题描述

我正在使用"adal-node" npm程序包向AzureAD进行身份验证.一切正常，我得到了令牌.

I'm using the 'adal-node' npm package to authenticate with an AzureAD. This is all working fine and I get a token back.

但是，在检查JWT令牌中的"aud"声明时，我看到观众GUID的前缀是"spn:".当我尝试在已存在的Web API上使用JWT令牌时，我认为这给我造成了问题.当我通过使用同一AzureAD的WebApp进行身份验证时，"aud"声明不以"spn:"为前缀，并且我能够在WebAPI上调用终结点.

However, the when examining the 'aud' claim in the JWT token I see the audience GUID is prefixed with 'spn:'. I think this is causing me problems when I try to use the JWT token on an already existing Web API. When I authenticate via a WebApp using the same AzureAD the 'aud' claim is NOT prefixed with 'spn:' and I am able to called endpoints on the WebAPI.

任何人都可以阐明这一点吗?这是很多努力之后才能克服的最后障碍.

Can anyone shed any light on this? This is last hurdle to get over after a lot of head banging getting this working.

更新:

使用npm软件包"azure-ad-jwt"在收到AzureAD时立即使用AzureAD验证JWT令牌，这给我带来了我怀疑是问题的错误-"JWT观众无效".期望"aud"声明没有"spn:"前缀.这个spn前缀是哪里来的?

Using the npm package 'azure-ad-jwt' to validate the JWT token with AzureAD as soon as I receive it gives me the error which I suspected is the problem - 'JWT audience is invalid'. It is expecting the 'aud' claim not to have the 'spn:' prefix. Where is this spn prefix coming from?

这是我的app.js

Here's my app.js

var adal = require('adal-node');

var activeDirectoryEndpointUrl = 'https://login.microsoftonline.com/';

var options = {
    domain: '<AzureAD GUID>',
    activeDirectoryResourceId: '<AzureAD App Client ID 1>',
    clientId: '<AzureAD App Client ID 2>'
};

var tokenCache = new adal.MemoryCache();
var authorityUrl = activeDirectoryEndpointUrl + options.domain;
var context = new adal.AuthenticationContext(authorityUrl, true, tokenCache);

context.acquireUserCode(options.activeDirectoryResourceId, options.clientId, 'en-us', function (err, userCodeResponse) {
    if (err) {
        console.error(err);
        return;
    }

    console.log('Use a web browser to open the page ' + userCodeResponse.verificationUrl + ' and enter the code ' + userCodeResponse.userCode + ' to sign in.');

    context.acquireTokenWithDeviceCode(options.activeDirectoryResourceId, options.clientId, userCodeResponse, function (err, tokenResponse) {
        if (err) {
            console.error(err);
            return;
        }

        console.log(tokenResponse);
    });
});

已解码的JWT令牌:

{
    "typ":"JWT",
    "alg":"RS256",
    "x5t":"XXXXXXX",
    "kid":"XXXXXXX"
}
{
    "aud":"spn:XXXXXXX",    // <<< Offending claim
    "iss":"https://sts.windows.net/XXXXXXX/",
    "iat":1471355868,
    "nbf":1471355868,
    "exp":1471359768,
    "acr":"1",
    "amr":["pwd"],
    "appid":"XXXXXXX",
    "appidacr":"0",
    "e_exp":7200,
    "family_name":"XX",
    "given_name":"XX",
    "ipaddr":"XX.XX.XX.XX",
    "name":"XX XX",
    "oid":"XXXXXXX",
    "scp":"user_impersonation",
    "sub":"XXXXXXX",
    "tid":"XXXXXXX",
    "unique_name":"XXX@XXX.onmicrosoft.com",
    "upn":"XXX@XXX.onmicrosoft.com",
    "ver":"1.0"
}

推荐答案

对于Azure AD似乎是通过设计" ¹ 记录的.

Appears to be documented "by design"¹ for Azure AD.

在Azure AD的SAML 2.0中，它们描述受众响应值.请注意底部的粗体文本:

In Azure AD's SAML 2.0 Single Sign-On SAML protocol describing the response fields, they describe the audience response value. Note the bold text at the bottom:

受众

这包含一个标识目标受众的URI. Azure AD将此元素的值设置为启动登录的AuthnRequest的Issuer元素的值.要评估受众群体"值，请使用在应用程序注册期间指定的应用程序ID URI的值.

Audience

This contains a URI that identifies an intended audience. Azure AD sets the value of this element to the value of Issuer element of the AuthnRequest that initiated the sign-on. To evaluate the Audience value, use the value of the App ID URI that was specified during application registration.

与Issuer值一样，Audience值必须与代表Azure AD中的云服务的服务主体名称之一完全匹配. 但是，如果Issuer元素的值不是URI值，则响应中的Audience值就是以spn: 为前缀的Issuer值.

Like the Issuer value, the Audience value must exactly match one of the service principal names that represents the cloud service in Azure AD. However, if the value of the Issuer element is not a URI value, the Audience value in the response is the Issuer value prefixed with spn:.

因此，无论好坏，Azure AD SAML 2.0的答案似乎要么是:

So for better or worse, the answer for Azure AD SAML 2.0 seems to be either:

1. 将您的颁发者实体ID更改为URI
2. 更改实现，从受众响应值的开头剥离spn:.

1. Change your Issuer Entity ID to be a URI
2. Change your implementation to strip the spn: from the start of the audience response value.

---

¹ SAML 2.0核心规范指定<Issuer>元素不是作为URI而是作为复杂类型NameIDType，默认情况下没有格式要求的字符串.因此，我们会感到恼怒的是，Azure AD对非URI字符串不满意.话虽这么说，规范中的每个示例发卡行<都是，所以也许我们烦恼的自我辩解有其局限性.

---

¹ The SAML 2.0 Core spec specifies the <Issuer> element not as a URI, but as a complex type NameIDType, a string with no format requirements by default. So we can feel annoyed that Azure AD is not happy with non-URI string. Having said that, every example Issuer in the spec is a URI, so maybe our annoyed self-justification has its limits.

这篇关于AzureAD JWT令牌受众声明前缀使JWT令牌无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！