AzureAD JWT 令牌受众声明前缀使 JWT 令牌无效 [英] AzureAD JWT Token Audience claim prefix makes JWT Token invalid

问题描述

我正在使用adal-node"npm 包向 AzureAD 进行身份验证.这一切都很好，我得到了一个令牌.

I'm using the 'adal-node' npm package to authenticate with an AzureAD. This is all working fine and I get a token back.

但是，在检查 JWT 令牌中的aud"声明时，我看到受众 GUID 以spn:"为前缀.当我尝试在已经存在的 Web API 上使用 JWT 令牌时，我认为这会给我带来问题.当我使用相同的 AzureAD 通过 WebApp 进行身份验证时，aud"声明不以spn:"为前缀，并且我可以在 WebAPI 上调用端点.

However, the when examining the 'aud' claim in the JWT token I see the audience GUID is prefixed with 'spn:'. I think this is causing me problems when I try to use the JWT token on an already existing Web API. When I authenticate via a WebApp using the same AzureAD the 'aud' claim is NOT prefixed with 'spn:' and I am able to called endpoints on the WebAPI.

任何人都可以对此有所了解吗?这是在费了很多脑筋之后才能克服的最后一道障碍.

Can anyone shed any light on this? This is last hurdle to get over after a lot of head banging getting this working.

更新:

使用 npm 包azure-ad-jwt"通过 AzureAD 验证 JWT 令牌后，我收到了我怀疑是问题的错误 - JWT 受众无效".它期望aud"声明没有spn:"前缀.这个 spn 前缀是从哪里来的?

Using the npm package 'azure-ad-jwt' to validate the JWT token with AzureAD as soon as I receive it gives me the error which I suspected is the problem - 'JWT audience is invalid'. It is expecting the 'aud' claim not to have the 'spn:' prefix. Where is this spn prefix coming from?

这是我的 app.js

Here's my app.js

var adal = require('adal-node');

var activeDirectoryEndpointUrl = 'https://login.microsoftonline.com/';

var options = {
    domain: '<AzureAD GUID>',
    activeDirectoryResourceId: '<AzureAD App Client ID 1>',
    clientId: '<AzureAD App Client ID 2>'
};

var tokenCache = new adal.MemoryCache();
var authorityUrl = activeDirectoryEndpointUrl + options.domain;
var context = new adal.AuthenticationContext(authorityUrl, true, tokenCache);

context.acquireUserCode(options.activeDirectoryResourceId, options.clientId, 'en-us', function (err, userCodeResponse) {
    if (err) {
        console.error(err);
        return;
    }

    console.log('Use a web browser to open the page ' + userCodeResponse.verificationUrl + ' and enter the code ' + userCodeResponse.userCode + ' to sign in.');

    context.acquireTokenWithDeviceCode(options.activeDirectoryResourceId, options.clientId, userCodeResponse, function (err, tokenResponse) {
        if (err) {
            console.error(err);
            return;
        }

        console.log(tokenResponse);
    });
});

解码的 JWT 令牌:

Decoded JWT Token:

{
    "typ":"JWT",
    "alg":"RS256",
    "x5t":"XXXXXXX",
    "kid":"XXXXXXX"
}
{
    "aud":"spn:XXXXXXX",    // <<< Offending claim
    "iss":"https://sts.windows.net/XXXXXXX/",
    "iat":1471355868,
    "nbf":1471355868,
    "exp":1471359768,
    "acr":"1",
    "amr":["pwd"],
    "appid":"XXXXXXX",
    "appidacr":"0",
    "e_exp":7200,
    "family_name":"XX",
    "given_name":"XX",
    "ipaddr":"XX.XX.XX.XX",
    "name":"XX XX",
    "oid":"XXXXXXX",
    "scp":"user_impersonation",
    "sub":"XXXXXXX",
    "tid":"XXXXXXX",
    "unique_name":"XXX@XXX.onmicrosoft.com",
    "upn":"XXX@XXX.onmicrosoft.com",
    "ver":"1.0"
}

推荐答案

似乎记录在 Azure AD 的设计"¹ 中.

Appears to be documented "by design"¹ for Azure AD.

在 Azure AD 的 SAML 2.0 单点登录 SAML 协议 描述响应字段，它们描述 audience 响应值.注意底部的粗体文本:

In Azure AD's SAML 2.0 Single Sign-On SAML protocol describing the response fields, they describe the audience response value. Note the bold text at the bottom:

这包含一个标识目标受众的 URI.Azure AD 将此元素的值设置为启动登录的 AuthnRequest 的 Issuer 元素的值.要评估 Audience 值，请使用在应用程序注册期间指定的 App ID URI 的值.

Audience

This contains a URI that identifies an intended audience. Azure AD sets the value of this element to the value of Issuer element of the AuthnRequest that initiated the sign-on. To evaluate the Audience value, use the value of the App ID URI that was specified during application registration.

与 Issuer 值一样，Audience 值必须与代表 Azure AD 中的云服务的服务主体名称之一完全匹配.但是，如果 Issuer 元素的值不是 URI 值，则响应中的 Audience 值是前缀为 spn: 的 Issuer 值.

Like the Issuer value, the Audience value must exactly match one of the service principal names that represents the cloud service in Azure AD. However, if the value of the Issuer element is not a URI value, the Audience value in the response is the Issuer value prefixed with spn:.

因此，无论好坏，Azure AD SAML 2.0 的答案似乎都是:

So for better or worse, the answer for Azure AD SAML 2.0 seems to be either:

1. 将您的发行人实体 ID 更改为 URI
2. 更改您的实现以从 audience 响应值的开头去除 spn:.

1. Change your Issuer Entity ID to be a URI
2. Change your implementation to strip the spn: from the start of the audience response value.

---

¹ SAML 2.0 核心规范 指定<Issuer> 元素不是作为 URI，而是作为复杂类型 NameIDType，默认情况下没有格式要求的字符串.因此，我们会对 Azure AD 对非 URI 字符串不满意感到恼火.话虽如此，规范中的每个示例 Issuer都是一个 URI，所以也许我们恼火的自我辩护有其局限性.

---

¹ The SAML 2.0 Core spec specifies the <Issuer> element not as a URI, but as a complex type NameIDType, a string with no format requirements by default. So we can feel annoyed that Azure AD is not happy with non-URI string. Having said that, every example Issuer in the spec is a URI, so maybe our annoyed self-justification has its limits.

这篇关于AzureAD JWT 令牌受众声明前缀使 JWT 令牌无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！