邮递员:“您无权查看此目录或页面"带有无记名令牌 [英] POSTMAN: "You do not have permission to view this directory or page" with Bearer Token

问题描述

我在HostGator上托管了一个网站，假设它的域名为 https://example.com .

我还有一个托管在Azure上的应用程序，并且在整个站点(包括API组件)上启用了 Active Directory 身份验证，假设它的域为 https://example.azurewebsites.net

目标-要在 https://example.com 上执行PHP文件(作为CRON作业)，并首先使该文件通过Azure的身份进行身份验证Active Directory，然后通过HTTP GET 调用从 https://example.azurewebsites.net/api/getValues 中提取数据.

问题-显然，仅调用不带承载令牌的API会导致 401 ，但我仍然得到 401 即使我传递的似乎是有效的Bearer令牌.

这就是我所做的:

使用

如您所见，它返回了在^上方看到的令牌.

然后我拿了这个令牌，并通过另一个 Postman 呼叫:

但是问题是，我仍然收到确切的错误消息:

您无权查看此目录或页面.

我觉得我已经尝试了一切.我什至进入 portal.azure 并设置允许的令牌受众":

有人知道我可以更改允许进行此类呼叫的任何设置吗?

解决方案

evilSnobu已经解释了由不正确的观众引起的此问题.我想更一般地解释它，以帮助理解此问题.

OAuth 2.0授权框架中有两个概念客户端和资源服务器(请参考 rfc6749 ).当客户端调用资源服务器时，资源服务器将验证请求中传递的令牌.例如，它将验证签名，发行者，客户ID，受众群体等.

客户:代表以下用户提出受保护资源请求的应用程序:资源所有者及其授权.术语客户"确实不暗示任何特定的实现特征(例如，应用程序是否在服务器，台式机或其他服务器上执行设备).

资源服务器:托管受保护资源的服务器，能够接受并使用访问令牌响应受保护的资源请求.

在您的方案中，您获得了Azure AD Graph( https://graph.windows.net )的access_token.但是，您在门户网站上配置的受众与access_token中的 aud 声明不匹配.若要解决此问题，我们可以使用在Azure AD注册的应用程序作为客户端和资源.如果是这样，我们需要使用应用程序ID 而不是应用程序ID URI 来获取访问令牌.并在Azure门户上将此值配置为允许的令牌受众.

或者我们可以只在Azure AD中注册两个应用程序以分别代表客户端应用程序和资源应用程序.并使用客户端应用程序获取资源应用程序的令牌.如果是这样， resource 的值应为资源应用程序的 App ID URI ，我们还需要将其配置为 ALLOWED TOKEN AUDIENCES Azure门户.

I've got a website hosted on HostGator, let's say it's domain is https://example.com.

I also have an application hosted on Azure, with Active Directory Authentication enabled on the entire site (including the API component), let's say it's domain is https://example.azurewebsites.net

THE GOAL - To have a PHP file be executed (as a CRON job) on https://example.com and have the file first Authenticate itself with Azure's Active Directory, and then to pull data from https://example.azurewebsites.net/api/getValues via an HTTP GET call.

THE PROBLEM - Obviously, just calling the API without a bearer token will cause a 401, but I'm still getting a 401 even though I'm passing in what appears to be a valid Bearer Token.

Here's what I did:

Using https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code -

I visited https://login.microsoftonline.com/{{tenant_id}}/oauth2/authorize?response_type=code&client_id={{client_id}} that was given to me through Azure AD Management Portal.

This returned:

https://example.com/?code={{really_long_string_of_code}}

I took this really_long_string_of_code and put it through postman as a body parameter called code, seen below:

As you can see, it returned the token seen above ^.

I then took this token and put it through another Postman call:

But the problem is, I still get that exact error message:

You do not have permission to view this directory or page.

I feel like I've tried everything. I've even went into the portal.azure and set the "allowed token audiences":

Anyone know any settings I can change to allow this sort of call to happen?

解决方案

The evilSnobu have already explained this issue which caused by incorrect audience. I want to explain it more general to help understand this issue.

There are two concepts client and resource server in the OAuth 2.0 Authorization Framework(refer rfc6749). When the client calls the resource server, the resource server will verify the token passed in the request. For example, it will verify the signature, issuer, client id, audience etc.

client: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).

resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

In your scenario, you were acquire the access_token for the Azure AD Graph(https://graph.windows.net). However, the audience you config at the portal doesn't match the aud claim in the access_token. To fix the issue, we can use the app registered at Azure AD as both client and resource. If that, we need to acquire the access token using the Application ID instead of App ID URI. And config this value as the ALLOWED TOKEN AUDIENCES on the Azure portal.

Or we can just to register two apps in Azure AD to represent the client app and resource app separately. And using the client app to acquire the token for the resource app. If this, the value of resource should the App ID URI of resource app and we also need to config it as the ALLOWED TOKEN AUDIENCES on the Azure portal.

这篇关于邮递员:“您无权查看此目录或页面"带有无记名令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！