AADSTS50013:断言签名验证失败.[原因 - 未找到密钥.客户端使用的密钥指纹:'xxxx' [英] AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Thumbprint of key used by client: 'xxxx'
问题描述
我有三个应用程序参与 AzureAD OBO 流程:
Angular 前端 -->在 AzureAD 中注册为 OIDC 应用
ASP.NET Core Web API -->在 AzureAD 中注册为 SAML 应用
NAV OData 服务 -->在 AzureAD 中注册为 SAML 应用
这是完整的流程:
Angular 前端应用程序将用户登录到 Azure AD 并请求 Web API 1 (ASP.NET Core Web API) 的委托访问令牌
然后客户端应用程序使用颁发的访问令牌调用 Web API 1
Web API 1 又需要调用下游 Web API 2(NAV OData 服务),因此它使用其访问令牌(在上面的步骤 2 中)来请求 Web API 2 的访问令牌.这会发生什么步骤是 Web API 1 使用 OBO 流将其访问令牌交换为另一个资源的访问令牌.交换的令牌仍然是代表原始登录用户颁发的,并且具有委托权限.
Web API 1 使用新的访问令牌调用 Web API 2
在上面的第 3 步中我遇到了错误.
错误详情:
出现一个或多个错误.(AADSTS50013:断言签名验证失败.[原因 - 找不到密钥.,客户端使用的密钥指纹:'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']跟踪 ID:afc20e5e-ebea-4546-af4b-820f48083e01相关 ID:b5d8d7b5-52d1-430d-af81-d34918970831时间戳:2021-05-03 11:35:25Z)任何人都可以通过提供解决此问题的指导来帮助我吗?
在这种情况下,Angular Front 使用的是隐式流.
https://login.microsoftonline.com/<TenantId>/oauth2/v2.0/authorize?response_type=token&scope=api://xxxx--<WEB API 1>.default%20openid%20profile&client_id=<应用程序(客户端)ID>&redirect_uri=<ApplicationURL>&state=xxxx&nonce=yyyy&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=msal&login_hint=mytestaccount@mydomain.com&client-request-id=yyyyyy&prompt=none&response_mode=fragment收到的 id_token 如下:
<代码>{aud":<应用程序(客户端)ID>","iss":"https://login.microsoftonline.com/<tenantid>/v2.0",iat":1620380572,nbf":1620380572,exp":1620384472,aio":AWQAm/8TAAAAIVowa1CNNUEB/tB/OcgatUBo9SzDJch09USynyiE+S+be6xkV9TczjRol4Td0czWrdsrzoqDBHUQxbAcnPT90InTNwLfYeHon5Vvk6eFsn2omrgpYlCj90QIXtIoduhd",电子邮件":mytestaccount@mydomain.com",名称":我的测试帐户,我的测试帐户",随机数":078bca2a-35ef-457d-96d8-92db7ac3d106",oid":96035811-49f6-4246-923f-4edba4555e14",preferred_username":mytestaccount@mydomain.com",rh":0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",子":BAc2RwnOjKjv8vxtS0zOSQ0kgQ74zEvWJDmWnMoWdyM",tid":36da45f1-dd2c-4d1f-af13-5abe46b99921",uti":8r7u-zYcr0GSNUdl4STUAQ",版本":2.0"}访问WEB API 1的访问令牌:
<代码>{aud":api://xxxx--<WEB API 1>",iss":https://sts.windows.net/36da45f1-dd2c-4d1f-af13-5abe46b99921/",iat":1620380574,nbf":1620380574,exp":1620384474,acr":1",aio":AVQAq/8TAAAAoi/awR8N8P1eapXNZfcGKhsy9uKyL6qv77raeIKYLOyZjXtsVKXMELCu+qZvKJtSaYm/nemvyUPc2OvJiPrvwpwrteqSU1iYM5C4xfPTxHo=",amr":[密码",rsa",mfa"],appid":<应用程序(客户端)ID>",appidacr":0",设备ID":b55e39a3-f492-4679-83e2-53fcd024beba",电子邮件":mytestaccount@mydomain.com",family_name":mytestaccount",given_name":mytestaccount",ipaddr":xx.xx.xx.xx",名称":我的测试帐户,我的测试帐户",oid":96035811-49f6-4246-923f-4edba4555e14",onprem_sid":S-1-5-21-238447276-1040861923-1850952788-976396",rh":0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",scp":user_impersonation",子":F5atxEe7z2ooojdNoFhaAG_Xs2SBnnkYKJ4yCCWT1HA",tid":36da45f1-dd2c-4d1f-af13-5abe46b99921",unique_name":mytestaccount@mydomain.com",upn":mytestaccount@mydomain.com",uti":ll2WpznLGEq23DrUk4eoAQ",版本":1.0"}我可以获取 api 1 和 api 2 的访问令牌.这是我的测试过程:
首先,我将api 1的api暴露出来,并添加了client application.
接下来使用隐式流获取中间层api的访问令牌 1.在浏览器中请求id令牌和访问令牌.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?client_id={client_id}&response_type=id_token 令牌&redirect_uri={redirect_uri}&scope=openid api://{api 1 客户端 id}/user_impersonation&response_mode=片段&状态=12345&nonce=678910解析api 1的访问令牌.
接下来,暴露 api 2 的 api,并将 api 1 添加为客户端应用程序.
最后,使用
解析api 2的访问令牌.
I have three applications participating the AzureAD OBO flow :
Angular FrontEnd --> Registered with AzureAD as OIDC app
ASP.NET Core Web API --> Registered with AzureAD as SAML app
NAV OData Service --> Registered with AzureAD as SAML app
Here goes the complete flow :
Angular frontend application signs a user into Azure AD and request a delegated access token for Web API 1 (ASP.NET Core Web API)
Client application then calls Web API 1 with the issued access token
Web API 1 in turn needs to call a downstream Web API 2 (NAV OData Services) so it uses its access token (in step 2 above) to request an access token for Web API 2. What happens in this step is that Web API 1 uses the OBO flow to exchange its access token for another resource’s access token. The exchanged token is still issued on behalf of the original sign in user and it has delegated permission.
Web API 1 uses the new access token to call Web API 2
In the above I am getting error in the Step 3.
Error details :
One or more errors occurred. (AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Thumbprint of key used by client: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']
Trace ID: afc20e5e-ebea-4546-af4b-820f48083e01
Correlation ID: b5d8d7b5-52d1-430d-af81-d34918970831
Timestamp: 2021-05-03 11:35:25Z)
Can anyone help me here by providing their guidance to fix this issue?
In this case Angular Front is using implicit flow.
https://login.microsoftonline.com/<TenantId>/oauth2/v2.0/authorize?response_type=token&scope=api://xxxx--<WEB API 1>.default%20openid%20profile&client_id=<Application (client) ID>&redirect_uri=<ApplicationURL>&state=xxxx&nonce=yyyy&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=msal&login_hint=mytestaccount@mydomain.com&client-request-id=yyyyyy&prompt=none&response_mode=fragment
Here goes the id_token received :
{
"aud": "<Application (client) ID>",
"iss": "https://login.microsoftonline.com/<tenantid>/v2.0",
"iat": 1620380572,
"nbf": 1620380572,
"exp": 1620384472,
"aio": "AWQAm/8TAAAAIVowa1CNNUEB/tB/OcgatUBo9SzDJch09USynyiE+S+be6xkV9TczjRol4Td0czWrdsrzoqDBHUQxbAcnPT90InTNwLfYeHon5Vvk6eFsn2omrgpYlCj90QIXtIoduhd",
"email": "mytestaccount@mydomain.com",
"name": "mytestaccount, mytestaccount",
"nonce": "078bca2a-35ef-457d-96d8-92db7ac3d106",
"oid": "96035811-49f6-4246-923f-4edba4555e14",
"preferred_username": "mytestaccount@mydomain.com",
"rh": "0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",
"sub": "BAc2RwnOjKjv8vxtS0zOSQ0kgQ74zEvWJDmWnMoWdyM",
"tid": "36da45f1-dd2c-4d1f-af13-5abe46b99921",
"uti": "8r7u-zYcr0GSNUdl4STUAQ",
"ver": "2.0"
}
Access token for accessing WEB API 1:
{
"aud": "api://xxxx--<WEB API 1>",
"iss": "https://sts.windows.net/36da45f1-dd2c-4d1f-af13-5abe46b99921/",
"iat": 1620380574,
"nbf": 1620380574,
"exp": 1620384474,
"acr": "1",
"aio": "AVQAq/8TAAAAoi/awR8N8P1eapXNZfcGKhsy9uKyL6qv77raeIKYLOyZjXtsVKXMELCu+qZvKJtSaYm/nemvyUPc2OvJiPrvwpwrteqSU1iYM5C4xfPTxHo=",
"amr": [
"pwd",
"rsa",
"mfa"
],
"appid": "<Application (client) ID>",
"appidacr": "0",
"deviceid": "b55e39a3-f492-4679-83e2-53fcd024beba",
"email": "mytestaccount@mydomain.com",
"family_name": "mytestaccount",
"given_name": "mytestaccount",
"ipaddr": "xx.xx.xx.xx",
"name": "mytestaccount, mytestaccount",
"oid": "96035811-49f6-4246-923f-4edba4555e14",
"onprem_sid": "S-1-5-21-238447276-1040861923-1850952788-976396",
"rh": "0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",
"scp": "user_impersonation",
"sub": "F5atxEe7z2ooojdNoFhaAG_Xs2SBnnkYKJ4yCCWT1HA",
"tid": "36da45f1-dd2c-4d1f-af13-5abe46b99921",
"unique_name": "mytestaccount@mydomain.com",
"upn": "mytestaccount@mydomain.com",
"uti": "ll2WpznLGEq23DrUk4eoAQ",
"ver": "1.0"
}
I can get access tokens for api 1 and api 2. This is my test process:
First, I made the api of api 1 expose, and added client application.
Next, use the implicit flow to obtain the access token of the middle layer api 1. Request the id token and access token in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid api://{api 1 client id}/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910
Parse the access token of api 1.
Next, expose the api of api 2 and add api 1 as a client application.
Finally, use OBO flow to get the access token of api 2 (note: the assertion parameter is the access token of api 1).
Parse the access token of api 2.
这篇关于AADSTS50013:断言签名验证失败.[原因 - 未找到密钥.客户端使用的密钥指纹:'xxxx'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
