Azure AD B2C 错误 - IDX10501:签名验证失败 [英] Azure AD B2C error - IDX10501: Signature validation failed
问题描述
我在尝试使用 Azure AD B2C 对我的 Web API 进行身份验证时遇到了困难.我将从一些背景开始
我创建了使用 Azure AD B2C 对用户进行身份验证的移动应用程序.我正在创建一个显示此 url 的 WebView:
要求用户登录 azure 广告,如果登录数据成功,我将收到包含访问令牌的响应 - 这部分进行得很顺利,一切正常.
现在我想创建后端 Web Api.我创建了 ASP NET Core Web 应用程序,它允许我选择身份验证方法.我选择了 Azure AD 身份验证,因此模板为我生成了所有必需的数据.代码中的相关部分在这里:
我更新了所有必需的配置属性以匹配我的 azure 设置.在这一点上,我希望能够使用我在移动应用程序上收到的访问令牌调用 API.我在本地运行移动应用程序,登录,接收访问令牌,复制它并尝试使用邮递员(带有授权标头Bearer ...")调用我的 web api(托管在 IIS express 中).不幸的是,运气不佳 - 我收到了带有以下标题的 401:
<块引用>Bearer error="invalid_token", error_description="签名密钥是未找到"
我认为令牌足以授权 API - 我理解这是 OAuth 的重点.我错过了什么吗?我应该有一些额外的配置吗?我注意到配置缺少登录策略(这似乎是 AD B2C 名称所必需的,所以我尝试添加:
var validationParameters = new TokenValidationParameters{AuthenticationType = "MY_POLICY",};app.UseJwtBearerAuthentication(new JwtBearerOptions{权限 = 配置[身份验证:AzureAd:AADInstance"] + 配置[身份验证:AzureAd:TenantId"],受众 = 配置[身份验证:AzureAd:受众"],TokenValidationParameters = 验证参数});但这也不起作用.将不胜感激任何帮助.
编辑
我在 Visual Studio 日志中发现以下错误:
<块引用>承载未通过身份验证.失败消息:IDX10501:签名验证失败.无法匹配孩子":..."
@juunas 评论帮助我找到问题.我用 fiddler 检查了传出的请求,我发现用这段代码:
<块引用>Authority = Configuration["Authentication:AzureAd:AADInstance"] + 配置["Authentication:AzureAd:TenantId"]
请求被发送到以下地址:
<块引用>https://login.microsoftonline.com/MYTENANTID/.well-已知/openid-配置
上面有两个问题:
- 它没有使用 v2 端点.B2C 的正确链接应始终使用 v2,因此它看起来像:
<块引用>
https://login.microsoftonline.com/MYTENANTID/v2.0/.well-known/openid-configuration
- 它没有向链接添加登录策略(即使我在令牌选项中设置了它)
我设法通过删除Authority"参数并将配置身份验证功能更改为以下内容来使其工作:
app.UseJwtBearerAuthentication(new JwtBearerOptions{MetadataAddress = string.Format("https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration?p={1}",配置["Authentication:AzureAd:TenantId"], "MYPOLICY"),AuthenticationScheme = "MYPOLICY",受众 = 配置[身份验证:AzureAD:ClientId"],});I'm having hard times trying to use Azure AD B2C to authenticate My Web API. I'll start with some background
I created mobile application which is using Azure AD B2C to authenticate users. I'm creating a WebView which display this url:
User is asked to login to azure ad, if the login data is successfull i'm receiving a response containing the access token - this part went smooth, everything works properly.
Now i want to create backend Web Api. I created ASP NET Core Web application which allows me to choose authentication method. I choose the Azure AD authentication so the template generated all required data for me. The relevant part in the code is here:
I updated all required config properties to match my azure settings. At this point i would expect to be able to call the API using access token i received on the mobile app. I run mobile app locally, signed in, received access token, copied it and tried to call my web api(hosted in IIS express) using postman ( with authorization header "Bearer ..." ). Unfortunately with no luck - i'm receiving 401 with following header:
Bearer error="invalid_token", error_description="The signature key was not found"
I thought token is enough to Authorize the API - i understand this is a whole point of OAuth. Am i missing something ? Should i have some additional config ? I Noticed the config is missing the sign in policy ( which seems to be required by AD B2C name so i tried adding that:
var validationParameters = new TokenValidationParameters
{
AuthenticationType = "MY_POLICY",
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
Audience = Configuration["Authentication:AzureAd:Audience"],
TokenValidationParameters = validationParameters
});
But this didn't work too. Will appreciate any help.
EDIT
I found following error in Visual Studio logs:
Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match 'kid': '...'
@juunas comment help me to find the issue. I inspected outgoing requests with fiddler and i found that with this piece of code:
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"]
The request was being send to following address:
https://login.microsoftonline.com/MYTENANTID/.well-known/openid-configuration
There are two issues with above:
- It's not using v2 endpoint. Proper link for B2C should always use v2 so it would look like:
https://login.microsoftonline.com/MYTENANTID/v2.0/.well-known/openid-configuration
- It was not adding sign in policy to the link ( even if i set it in token options )
I managed to make it work with removing "Authority" parameter and changing the configure auth function to following:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
MetadataAddress = string.Format("https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration?p={1}",
Configuration["Authentication:AzureAd:TenantId"], "MYPOLICY"),
AuthenticationScheme = "MYPOLICY",
Audience = Configuration["Authentication:AzureAD:ClientId"],
});
这篇关于Azure AD B2C 错误 - IDX10501:签名验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
