无法从Azure的AD得到承载令牌API应用程序使用 [英] Unable to get bearer token from Azure AD to use with API App
问题描述
我有一个需要访问私有API应用程序中的Azure是与Azure的AD认证保护的MVC应用程序。所以,我需要得到的Azure AD承载的道理,它转移到谟 - 验证
标记并使用它来访问API的应用程序。
我要通过<一个href=\"https://azure.microsoft.com/en-us/documentation/articles/app-service-api-authentication-client-flow/\"相对=nofollow>本教程并一切正常,直到点,当我需要请求 authContext
。这里是一个code的片段:
VAR authContext =新AuthenticationContext(
https://login.microsoftonline.com/MyADDomain.onmicrosoft.com);ClientCredential证书=新ClientCredential(
04472E33-2638-FAKE-GUID-F826AF4928DB
OMYAPIKEY1x3BLAHEMMEHEHEHEHEeYSOMETHINGRc =);//获取AAD令牌。
VAR appIdUri =
https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad;// VAR appIdUri =https://MyADDomain.onmicrosoft.com/MyAppName;
// VAR appIdUri =https://MyADDomain.onmicrosoft.com/;
// VAR appIdUri =https://graph.windows.net;AuthenticationResult结果=
authContext.AcquireToken(appIdUri,证书); //&LT; - 无法从AD令牌从这里下坡//
VAR aadToken =新JObject();
aadToken [ACCESS_TOKEN] = result.AccessToken;
VAR appServiceClient =新AppServiceClient(
https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/);//发送AAD令牌到网关,并获得谟令牌
VAR appServiceUser =等待appServiceClient.LoginAsync(反倾销协定,aadToken);
与行authContext.AcquireToken(appIdUri,证书)
是一个作祟。
如果为 appIdUri
我给 https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad
,我得到异常:
400:AdalServiceException:AADSTS50001:资源' https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/登录/ AAD '未注册的账号。
块引用>但这个确切的行是列表
在AD应用回应网址
当我尝试使用
https://MyADDomain.onmicrosoft.com/MyAppName
或https://MyADDomain.onmicrosoft.com/
为appIdUri
我得到一个不同的异常消息:
400:AdalServiceException:AADSTS50105:申请书'04472E33-2638-FAKE-GUID-F826AF4928DB'未分配给该应用程序的 https://MyADDomain.onmicrosoft.com/MyAppName
块引用>或者
400:AdalServiceException:AADSTS50105:应用程序04472E33-2638-FAKE-GUID-F826AF4928DB'未分配给应用程序一个角色的 https://MyADDomain.onmicrosoft.com/
块引用>在这两种情况下,我有
应用程序ID URI
中设置的AD应用的 https://MyADDomain.onmicrosoft.com/MyAppName 或 https://开头MyADDomain .onmicrosoft.com / 。而无论是在的列表中的名称回复网址
。最后,足够的尝试我已经把
https://graph.windows.net
为appIdUri
并得到了后承载令牌回来。但是令牌与过去(在过去约1分钟)有效期给出。所以我不能做任何进一步的与此有关。并得到了401-未认证
时尝试使用令牌登录到API的应用程序。我是什么失踪?
解决方案我已经取得了进展,跟着你提到的那个教程:<一href=\"https://azure.microsoft.com/en-us/documentation/articles/app-service-api-authentication-client-flow/#create-and-secure-an-api-app-using-aad\"相对=nofollow>通话从Azure中的Active Directory 验证的Web应用程序客户端的API的Azure应用程序
- 创建一个返回的Azure API API联络数据
- 部署API应用天青应用服务。
- 使用Azure的Active Directory的固定API的应用程序。
然后,我能够检索令牌,你可以从下面的演示中看到,我的code是没有你的code不同,不同之处在于它使用<$ C $更高版本C>使用Microsoft.IdentityModel.Clients.ActiveDirectory 库,使用
异步
。从AAD获得访问令牌
类节目
{
静态无效的主要(字串[] args)
{
VAR authContext =新AuthenticationContext(Constants.AUTHORITY);
VAR凭证=
新ClientCredential(Constants.CLIENT_ID,Constants.CLIENT_SECRET);
VAR的结果=(AuthenticationResult)authContext
.AcquireTokenAsync(Constants.API_ID_URL,证书)
。结果;
VAR令牌= result.AccessToken;
Console.WriteLine(token.ToString());
到Console.ReadLine();
}
}常量
授权
。这样做的第一段是 https://login.microsoftonline.com 。最后一个环节是一个允许租户。我们设置允许租户在portal.azure.com,去网关为我们的应用程序,并选择设置>标识> Azure的活动目录>允许租户。我的租客是bigfontoutlook.onmicrosoft.com。
CLIENT_ID
。我们检索我们添加到Azure Active Directory中应用此客户端ID。在manage.windowsazure.com>活动目录>您的目录>应用程序>应用程序>配置找到。一旦我们获取它,我们必须在客户端ID字段将其添加到我们的网关的Azure Active Directory设置。
CLIENT_SECRET
。我们建立/,我们获得我们客户端ID相同的位置检索此。
API_ID_URL
。我们通过选择设置>标识> Azure的活动目录>应用网址检索该网关刀片我们的Web API应用程序中。下面是为我工作的人。
类常量
{
公共常量字符串AUTHORITY =
https://login.microsoftonline.com/bigfontoutlook.onmicrosoft.com/; 公共常量字符串CLIENT_ID =
0d7dce06-c3e3-441f-89a7-f828e210ff6d 公共常量字符串CLIENT_SECRET =
AtRMr + Rijrgod4b9Q34i / UILldyJ2VO6n2jswkcVNDs =; 公共常量字符串API_ID_URL =
https://mvp201514929cfaaf694.azurewebsites.net/login/aad;
}决赛德codeD智威汤逊
这是什么去codeD智威汤逊访问令牌包含。
{
典型:智威汤逊
ALG:RS256,
x5t:MnC_VZcATfM5pOYiJHMba9goEKY
孩子:MnC_VZcATfM5pOYiJHMba9goEKY
}。
{
澳元:https://mvp201514929cfc350148cfa5c9b24a7daaf694.azurewebsites.net/login/aad
ISS:https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/
IAT:1442346927,
NBF:1442346927,
EXP:1442350827,
版本:1.0,
TID:0252f597-5d7e-4722-BAFA-0b26f37dc14f
OID:5a6f33eb-b622-4996-8a6a-600dce355389
子:5a6f33eb-b622-4996-8a6a-600dce355389
IDP:https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/
APPID:0d7dce06-c3e3-441f-89a7-f828e210ff6d
appidacr:1
}。请注意:这是在暴殄天物资源组暴殄天物Active Directory帐户暴殄天物的应用程序,所以显示我的安全证书是一个非问题。
图只是要确定:)
I have an MVC application that needs to access private API App in Azure that is protected with Azure AD authentication. So I need to get Azure AD bearer token, transfer it into
Zumo-Auth
token and use it to access the API App.I'm going through this tutorial and everything is working fine until the point when I need to request the token from
authContext
. Here is the snippet of a code:var authContext = new AuthenticationContext( "https://login.microsoftonline.com/MyADDomain.onmicrosoft.com"); ClientCredential credential = new ClientCredential( "04472E33-2638-FAKE-GUID-F826AF4928DB", "OMYAPIKEY1x3BLAHEMMEHEHEHEHEeYSOMETHINGRc="); // Get the AAD token. var appIdUri = "https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad"; //var appIdUri = "https://MyADDomain.onmicrosoft.com/MyAppName"; //var appIdUri = "https://MyADDomain.onmicrosoft.com/"; //var appIdUri = "https://graph.windows.net"; AuthenticationResult result = authContext.AcquireToken(appIdUri, credential); // <-- can't get the token from AD // downhill from here var aadToken = new JObject(); aadToken["access_token"] = result.AccessToken; var appServiceClient = new AppServiceClient( "https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/"); // Send the AAD token to the gateway and get a Zumo token var appServiceUser = await appServiceClient.LoginAsync("aad", aadToken);
The line with
authContext.AcquireToken(appIdUri, credential)
is the one causing trouble.If as
appIdUri
I givehttps://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad
, I get exception:400: AdalServiceException: AADSTS50001: Resource 'https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad' is not registered for the account.
But this exact line is in the list of
Reply Url
in the AD ApplicationWhen I try to use
https://MyADDomain.onmicrosoft.com/MyAppName
orhttps://MyADDomain.onmicrosoft.com/
asappIdUri
I get a different exception message:400: AdalServiceException: AADSTS50105: Application '04472E33-2638-FAKE-GUID-F826AF4928DB' is not assigned to a role for the application 'https://MyADDomain.onmicrosoft.com/MyAppName'
Or
400: AdalServiceException: AADSTS50105: Application '04472E33-2638-FAKE-GUID-F826AF4928DB' is not assigned to a role for the application 'https://MyADDomain.onmicrosoft.com/'
In both cases I had the
App ID URI
in the AD Application set to 'https://MyADDomain.onmicrosoft.com/MyAppName' or 'https://MyADDomain.onmicrosoft.com/'. And both of the names in the list ofReply URL
.Eventually after enough tries I have put
https://graph.windows.net
asappIdUri
and got the bearer token back. But the token was given with expiry date in the past (about 1 minute in the past). So I could not do anything further with this. And got401-Unauthenticated
when tried to use the token to login into API App.What am I missing?
解决方案I have gone ahead and followed the tutorial to which you referred: Call an Azure API app from a web app client authenticated by Azure Active Directory
- Create an Azure API Api that returns contact data
- Deploy the API App to Azure App Service.
- Secure the API App using Azure Active Directory.
Then I was able to retrieve the token, and as you can see from the following demo, my code is no different than your code, except that it using a later version of the
using Microsoft.IdentityModel.Clients.ActiveDirectory
libraries that useAsync
.Get access token from AAD
class Program { static void Main(string[] args) { var authContext = new AuthenticationContext(Constants.AUTHORITY); var credential = new ClientCredential(Constants.CLIENT_ID, Constants.CLIENT_SECRET); var result = (AuthenticationResult)authContext .AcquireTokenAsync(Constants.API_ID_URL, credential) .Result; var token = result.AccessToken; Console.WriteLine(token.ToString()); Console.ReadLine(); } }
Constants
AUTHORITY
. The first segment of this is https://login.microsoftonline.com. The final segment is an allowed tenant. We set the allowed tenant at portal.azure.com, going to the Gateway for our application, and choosing Settings > Identity > Azure Active Directory > Allowed Tenants. My tenant is bigfontoutlook.onmicrosoft.com.
CLIENT_ID
. We retrieve this client id from the application that we added to Azure Active Directory. Find this at manage.windowsazure.com > Active Directory > Your Directory > APPLICATIONS > Your Application > CONFIGURE. Once we have retrieved it, we must add it to our Gateway's Azure Active Directory settings in the Client ID field.
CLIENT_SECRET
. We create/retrieve this in the same location that we retrieve our client id.
API_ID_URL
. We retrieve this within the Gateway blade for our Web API App by choosing Settings > Identity > Azure Active Directory > App URL.Here are the ones that work for me.
class Constants { public const string AUTHORITY = "https://login.microsoftonline.com/bigfontoutlook.onmicrosoft.com/"; public const string CLIENT_ID = "0d7dce06-c3e3-441f-89a7-f828e210ff6d"; public const string CLIENT_SECRET = "AtRMr+Rijrgod4b9Q34i/UILldyJ2VO6n2jswkcVNDs="; public const string API_ID_URL = "https://mvp201514929cfaaf694.azurewebsites.net/login/aad"; }
Final decoded JWT
This is what the decoded JWT access token contains.
{ typ: "JWT", alg: "RS256", x5t: "MnC_VZcATfM5pOYiJHMba9goEKY", kid: "MnC_VZcATfM5pOYiJHMba9goEKY" }. { aud: "https://mvp201514929cfc350148cfa5c9b24a7daaf694.azurewebsites.net/login/aad", iss: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/", iat: 1442346927, nbf: 1442346927, exp: 1442350827, ver: "1.0", tid: "0252f597-5d7e-4722-bafa-0b26f37dc14f", oid: "5a6f33eb-b622-4996-8a6a-600dce355389", sub: "5a6f33eb-b622-4996-8a6a-600dce355389", idp: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/", appid: "0d7dce06-c3e3-441f-89a7-f828e210ff6d", appidacr: "1" }.
Note: It's a throwaway app in a throwaway active directory account with a throwaway resource group, so showing my security credentials is a non-issue.
Diagram just to be sure :)
这篇关于无法从Azure的AD得到承载令牌API应用程序使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!