无法从客户端凭据身份验证Microsoft AD授权令牌 [英] Can't authorize token from Client Credentials Authentication Microsoft AD

问题描述

因此，我已经使用ASP Net Core构建了一个应用程序.这是我的代码

  services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme).AddAzureADBearer(options => Configuration.Bind("AzureAd"，options));services.Configure< JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme，options =>{//这是Microsoft身份平台Web API.options.Authority + ="/v2.0";//Web API接受客户端ID(options.Audience)和api://{ClientID}作为受众.options.TokenValidationParameters.ValidAudiences = new []{选项.$" api://{options.Audience}"};}); 

当我使用用户密码验证时，此设置工作正常.但是由于某些条件，我只能将client_credentials用于其他应用程序.我正在使用它来获取令牌我成功获得了令牌，但是当我使用令牌时，它会导致我未经授权

这是我使用的API权限

这是我的解码令牌

解决方案

请将作用域更改为: api://{ClientID}/.default.

---

更新:

您需要创建另一个代表Web api的Azure AD应用程序，然后使用您的客户端应用程序调用 Web api应用程序.

首先，您需要公开代表Web api的应用程序的api，可以按照以下过程进行配置:

Azure门户> 应用注册> 公开API > 添加范围> 添加客户端应用程序

接下来，您需要定义api应用程序的清单并向您的客户端应用程序授予应用程序权限(这是您自己定义的角色权限，添加权限后，您可以在我的API 中找到它)

这是为客户端应用程序授予权限:

最后，您可以为您的api应用程序请求令牌:

So I have built an Application using ASP Net Core. here is my code

    services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
    .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

    services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
    {
        // This is a Microsoft identity platform web API.
        options.Authority += "/v2.0";

        // The web API accepts as audiences both the Client ID (options.Audience) and api://{ClientID}.
        options.TokenValidationParameters.ValidAudiences = new[]
        {
         options.Audience,
         $"api://{options.Audience}"
        };
    });

    

This setup is working fine when I using User Password Authentication. But because of some condition, I can only use client_credentials for my other application. I'm using this to get token I successfully get the token but when I'm using the token it gets me Unauthorized

Here is my API Permission that I used

And this one is my decoded token

解决方案

Please change the scope to: api://{ClientID}/.default.

---

Update:

You need to create another Azure AD application that represents the web api, and then use your client application to call the web api application.

First, you need to expose the api of the application representing the web api, you can configure it according to the following process:

Azure portal>App registrations>Expose an API>Add a scope>Add a client application

Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions)

This is the process of defining the manifest.

This is to grant permissions for the client application:

Finally, you can request a token for your api application:

这篇关于无法从客户端凭据身份验证Microsoft AD授权令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！