持有者令牌:签名无效 - 发布到 Azure 的默认 ASP.NET Core 2.1 Web Api 模板 [英] Bearer token: The signature is invalid - Default ASP.NET Core 2.1 Web Api template published to Azure

问题描述

我在 VS Community 2019(最新更新)中使用 WebApi .NET Core 2.1 的模板创建了一个项目，并将其发布在 Azure 上.我只在门户的应用注册中添加了一个客户端密码，用于使用授权代码流进行调用.

I created a project in VS Community 2019 (latest update) with a template for WebApi .NET Core 2.1 and published it on Azure. I only added a client secret in the app registration in the portal to use for the call using the authorization code flow.

我试图在以下网址使用具有 OAuth 2.0 授权的 Postman 进行 GET 调用:https://webapi3app.azurewebsites.net/api/values

I was trying to make a GET call using Postman with OAuth 2.0 authorization at the url below: https://webapi3app.azurewebsites.net/api/values

但我收到了未经授权的响应，错误标头如下:WWW-Authenticate:"Bearer error="invalid_token", error_description="签名无效""

But I get an unauthorized response with the error header below: WWW-Authenticate:"Bearer error="invalid_token", error_description="The signature is invalid""

我尝试将客户端密码解码为 BASE64 字符串，但在回复中它说它是无效的客户端密码.
我尝试将授权数据更改为:
- 请求网址.
- 请求标头.
我尝试了几种授权类型:
- 授权码.
- 隐式.
- 密码凭证(将应用更改为公共客户端后).
我尝试了几个范围:
- 默认 Microsoft 范围网址(https://graph.microsoft.com/.default).
- user.read openid 配置文件offline_access.
- https://aldolekalive.onmicrosoft.com/WebApi3/user_impersonation.
- 个人资料 openid 电子邮件 https://graph.microsoft.com/Directory.Read.All https://graph.microsoft.com/User.Read
我尝试将客户端身份验证设置为:
- 作为基本身份验证标头发送.
- 在正文中发送客户端凭据.
我尝试将 Authorize 属性更改为仅基于 AzureADBearer 或仅 AzureADJwtBearer 进行授权(因为显然默认情况下它们都使用当前配置启用)但没有运气.
等等.

I tried decoding the client secret to BASE64 string but in the repsonse it says that it's an invalid client secret.
I tried changing authorization data to:
- Request URL.
- Request Headers.
I tried several grant types:
- Authorization code.
- Implicit.
- Password Credentials (after changing app to public client).
I tried several scopes:
- Default Microsoft scopes url (https://graph.microsoft.com/.default).
- user.read openid profile offline_access.
- https://aldolekalive.onmicrosoft.com/WebApi3/user_impersonation.
- profile openid email https://graph.microsoft.com/Directory.Read.All https://graph.microsoft.com/User.Read
I tried setting client authentication to:
- Send as basic auth header.
- Send client credentials in body.
I tried changing the Authorize attribute to authorize based on only AzureADBearer or only AzureADJwtBearer (because apparently by default they are both enabled with the current configuration) but no luck.
etc.

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.AzureAD.UI;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;

public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
                .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseHsts();
            }

            app.UseHttpsRedirection();
            app.UseAuthentication();
            app.UseMvc();
        }
    }

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Collections.Generic;

[Authorize]
    [Route("api/[controller]")]
    [ApiController]
    public class ValuesController : ControllerBase
    {
        // GET api/values
        [HttpGet]
        public ActionResult<IEnumerable<string>> Get()
        {
            return new string[] { "value1", "value2" };
        }
    }

我希望得到正文的回应:
"值1，值2"

I expect to get a response with the body:
"value1, value2"

推荐答案

据我了解，您的 webapi 受 Azure AD 保护，现在您要调用该 api.要调用 api，您需要提供访问令牌.

Per my understanding, your webapi is protected by Azure AD and now you want to call the api. To call the api you need to provide an access token.

为此，您需要在 Azure AD 中注册两个应用程序.一个用于客户端App，另一个用于webapi.你可以参考我的回答这里.

To do this, you need to register two applications in Azure AD. One is for client App, the other one is for webapi. You can refer to my answer here.

这里是 完整示例.如果您现在没有客户端应用程序，您可以在 Azure 门户中注册一个客户端应用程序，然后使用此客户端应用程序获取您的 webapi 的访问令牌.

And here is the complete sample. If you don't have an client application now, you can just register an client app in Azure portal, then use this client app to get an access token for your webapi.

我尝试了几个范围:

如果您使用的是 v2.0 端点，则范围应为 api://{server_client_id}/.default.

If you are using v2.0 endpoint, the scope should be api://{server_client_id}/.default.

这篇关于持有者令牌:签名无效 - 发布到 Azure 的默认 ASP.NET Core 2.1 Web Api 模板的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！