当我期待 https://login.microsoftonline.com 时，来自天蓝色活动目录的访问令牌中的颁发者是 https://sts.windows.net [英] Issuer in access token from azure active directory is https://sts.windows.net when I'm expecting https://login.microsoftonline.com

问题描述

我正在尝试验证从 azure 活动目录获得的访问令牌.

I'm trying to validate an access token obtained from azure active directory.

我从 https://login.microsoftonline.com/{{my 租户 guid}}/v2.0

I obtained the token from https://login.microsoftonline.com/{{my tennant guid}}/v2.0

返回的token中的发行者是https://sts.windows.net//{{my 租户 guid}}/不匹配.

The issuer in the token that comes back is https://sts.windows.net//{{my tennant guid}}/ which doent match.

如果我在 .well-known/openid-configuration 检查该配置，则发行者符合预期 https://login.microsoftonline.com/....

If I check that config at .well-known/openid-configuration the issuer is as expected https://login.microsoftonline.com/....

我在 git hub 上发现了一个类似的问题 https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560

I've found a similar issue reported on git hub here https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560

这样做的结果是在 AAD 中手动编辑应用程序注册中的清单 json 并设置accessTokenAcceptedVersion":2

the outcome from this is to manually edit the manifest json in the application registration in AAD and set "accessTokenAcceptedVersion": 2

我已经这样做了，但没有任何区别.

I've done this but it has made no difference.

我在这里也看到过关于堆栈溢出的类似问题，但这些问题与租户 guid 的差异有关 - 这里不是这种情况.

I've also seen similar questions here on stack overflow but these are related to a difference in the tenancy guid - that is not the case here.

推荐答案

看来在 manifest 中将接受的TokenVersion 更改为 2 确实发生了变化，但只是需要时间才能生效.

So seems that changing the acceptedTokenVersion to 2 in the manifest did change but it just took time to take effect.

是的，根据我在 v2 令牌中的测试，观众始终是客户端 ID.

And yes the audience is always the client id based on my tests in v2 tokens.

这篇关于当我期待 https://login.microsoftonline.com 时，来自天蓝色活动目录的访问令牌中的颁发者是 https://sts.windows.net的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！