无法从Azure的AD得到承载令牌API应用程序使用 [英] Unable to get bearer token from Azure AD to use with API App

问题描述

我有一个需要访问私有API应用程序中的Azure是与Azure的AD认证保护的MVC应用程序。所以，我需要得到的Azure AD承载的道理，它转移到谟 - 验证标记并使用它来访问API的应用程序。

我要通过<一个href=\"https://azure.microsoft.com/en-us/documentation/articles/app-service-api-authentication-client-flow/\"相对=nofollow>本教程并一切正常，直到点，当我需要请求 authContext 。这里是一个code的片段：

  VAR authContext =新AuthenticationContext（
    https://login.microsoftonline.com/MyADDomain.onmicrosoft.com）;ClientCredential证书=新ClientCredential（
    04472E33-2638-FAKE-GUID-F826AF4928DB
    OMYAPIKEY1x3BLAHEMMEHEHEHEHEeYSOMETHINGRc =）;//获取AAD令牌。
VAR appIdUri =
    https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad;// VAR appIdUri =htt​​ps://MyADDomain.onmicrosoft.com/MyAppName;
// VAR appIdUri =htt​​ps://MyADDomain.onmicrosoft.com/;
// VAR appIdUri =htt​​ps://graph.windows.net;AuthenticationResult结果=
    authContext.AcquireToken（appIdUri，证书）; //＆LT;  - 无法从AD令牌从这里下坡//
VAR aadToken =新JObject（）;
aadToken [ACCESS_TOKEN] = result.AccessToken;
VAR appServiceClient =新AppServiceClient（
    https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/）;//发送AAD令牌到网关，并获得谟令牌
VAR appServiceUser =等待appServiceClient.LoginAsync（反倾销协定，aadToken）;
 

与行authContext.AcquireToken（appIdUri，证书）是一个作祟。

如果为 appIdUri 我给 https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad ，我得到异常：

  

400：AdalServiceException：AADSTS50001：资源' https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/登录/ AAD '未注册的账号。

但这个确切的行是列表在AD应用回应网址

当我尝试使用 https://MyADDomain.onmicrosoft.com/MyAppName 或 https://MyADDomain.onmicrosoft.com/ 为 appIdUri 我得到一个不同的异常消息：

  

400：AdalServiceException：AADSTS50105：申请书'04472E33-2638-FAKE-GUID-F826AF4928DB'未分配给该应用程序的 https://MyADDomain.onmicrosoft.com/MyAppName

或者

  

400：AdalServiceException：AADSTS50105：应用程序04472E33-2638-FAKE-GUID-F826AF4928DB'未分配给应用程序一个角色的 https://MyADDomain.onmicrosoft.com/

在这两种情况下，我有应用程序ID URI 中设置的AD应用的 https://MyADDomain.onmicrosoft.com/MyAppName 或 https：//开头MyADDomain .onmicrosoft.com / 。而无论是在的列表中的名称回复网址。

最后，足够的尝试我已经把 https://graph.windows.net 为 appIdUri 并得到了后承载令牌回来。但是令牌与过去（在过去约1分钟）有效期给​​出。所以我不能做任何进一步的与此有关。并得到了 401-未认证时尝试使用令牌登录到API的应用程序。

我是什么失踪？

解决方案

我已经取得了进展，跟着你提到的那个教程：<一href=\"https://azure.microsoft.com/en-us/documentation/articles/app-service-api-authentication-client-flow/#create-and-secure-an-api-app-using-aad\"相对=nofollow>通话从Azure中的Active Directory 验证的Web应用程序客户端的API的Azure应用程序

1. 创建一个返回的Azure API API联络数据


2. 部署API应用天青应用服务。


3. 使用Azure的Active Directory的固定API的应用程序。

然后，我能够检索令牌，你可以从下面的演示中看到，我的code是没有你的code不同，不同之处在于它使用<$ C $更高版本C>使用Microsoft.IdentityModel.Clients.ActiveDirectory 库，使用异步。

从AAD获得访问令牌

 类节目
{
    静态无效的主要（字串[] args）
    {
        VAR authContext =新AuthenticationContext（Constants.AUTHORITY）;
        VAR凭证=
            新ClientCredential（Constants.CLIENT_ID，Constants.CLIENT_SECRET）;
        VAR的结果=（AuthenticationResult）authContext
            .AcquireTokenAsync（Constants.API_ID_URL，证书）
            。结果;
        VAR令牌= result.AccessToken;
        Console.WriteLine（token.ToString（））;
        到Console.ReadLine（）;
    }
}
 

常量

授权。这样做的第一段是 https://login.microsoftonline.com 。最后一个环节是一个允许租户。我们设置允许租户在portal.azure.com，去网关为我们的应用程序，并选择设置>标识> Azure的活动目录>允许租户。我的租客是bigfontoutlook.onmicrosoft.com。

CLIENT_ID 。我们检索我们添加到Azure Active Directory中应用此客户端ID。在manage.windowsazure.com>活动目录>您的目录>应用程序>应用程序>配置找到。一旦我们获取它，我们必须在客户端ID字段将其添加到我们的网关的Azure Active Directory设置。

CLIENT_SECRET 。我们建立/，我们获得我们客户端ID相同的位置检索此。

API_ID_URL 。我们通过选择设置>标识> Azure的活动目录>应用网址检索该网关刀片我们的Web API应用程序中。

下面是为我工作的人。

 类常量
{
    公共常量字符串AUTHORITY =
     https://login.microsoftonline.com/bigfontoutlook.onmicrosoft.com/;    公共常量字符串CLIENT_ID =
      0d7dce06-c3e3-441f-89a7-f828e210ff6d    公共常量字符串CLIENT_SECRET =
      AtRMr + Rijrgod4b9Q34i / UILldyJ2VO6n2jswkcVNDs =;    公共常量字符串API_ID_URL =
      https://mvp201514929cfaaf694.azurewebsites.net/login/aad;
}
 

决赛德codeD智威汤逊

这是什么去codeD智威汤逊访问令牌包含。

  {
 典型：智威汤逊
 ALG：RS256，
 x5t：MnC_VZcATfM5pOYiJHMba9goEKY
 孩子：MnC_VZcATfM5pOYiJHMba9goEKY
}。
{
 澳元：https://mvp201514929cfc350148cfa5c9b24a7daaf694.azurewebsites.net/login/aad
 ISS：https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/
 IAT：1442346927，
 NBF：1442346927，
 EXP：1442350827，
 版本：1.0，
 TID：0252f597-5d7e-4722-BAFA-0b26f37dc14f
 OID：5a6f33eb-b622-4996-8a6a-600dce35538​​9
 子：5a6f33eb-b622-4996-8a6a-600dce35538​​9
 IDP：https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/
 APPID：0d7dce06-c3e3-441f-89a7-f828e210ff6d
 appidacr：1
}。
 

请注意：这是在暴殄天物资源组暴殄天物Active Directory帐户暴殄天物的应用程序，所以显示我的安全证书是一个非问题。

图只是要确定：）

I have an MVC application that needs to access private API App in Azure that is protected with Azure AD authentication. So I need to get Azure AD bearer token, transfer it into Zumo-Auth token and use it to access the API App.

I'm going through this tutorial and everything is working fine until the point when I need to request the token from authContext. Here is the snippet of a code:

var authContext = new AuthenticationContext(
    "https://login.microsoftonline.com/MyADDomain.onmicrosoft.com");

ClientCredential credential = new ClientCredential(
    "04472E33-2638-FAKE-GUID-F826AF4928DB", 
    "OMYAPIKEY1x3BLAHEMMEHEHEHEHEeYSOMETHINGRc=");

// Get the AAD token.
var appIdUri = 
    "https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad";

//var appIdUri = "https://MyADDomain.onmicrosoft.com/MyAppName";
//var appIdUri = "https://MyADDomain.onmicrosoft.com/";
//var appIdUri = "https://graph.windows.net";

AuthenticationResult result = 
    authContext.AcquireToken(appIdUri, credential); // <-- can't get the token from AD

// downhill from here
var aadToken = new JObject();
aadToken["access_token"] = result.AccessToken;
var appServiceClient = new AppServiceClient(
    "https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/");

// Send the AAD token to the gateway and get a Zumo token
var appServiceUser = await appServiceClient.LoginAsync("aad", aadToken);

The line with authContext.AcquireToken(appIdUri, credential) is the one causing trouble.

If as appIdUri I give https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad, I get exception:

400: AdalServiceException: AADSTS50001: Resource 'https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad' is not registered for the account.

But this exact line is in the list of Reply Url in the AD Application

When I try to use https://MyADDomain.onmicrosoft.com/MyAppName or https://MyADDomain.onmicrosoft.com/ as appIdUri I get a different exception message:

400: AdalServiceException: AADSTS50105: Application '04472E33-2638-FAKE-GUID-F826AF4928DB' is not assigned to a role for the application 'https://MyADDomain.onmicrosoft.com/MyAppName'

Or

400: AdalServiceException: AADSTS50105: Application '04472E33-2638-FAKE-GUID-F826AF4928DB' is not assigned to a role for the application 'https://MyADDomain.onmicrosoft.com/'

In both cases I had the App ID URI in the AD Application set to 'https://MyADDomain.onmicrosoft.com/MyAppName' or 'https://MyADDomain.onmicrosoft.com/'. And both of the names in the list of Reply URL.

Eventually after enough tries I have put https://graph.windows.net as appIdUri and got the bearer token back. But the token was given with expiry date in the past (about 1 minute in the past). So I could not do anything further with this. And got 401-Unauthenticated when tried to use the token to login into API App.

What am I missing?

解决方案

I have gone ahead and followed the tutorial to which you referred: Call an Azure API app from a web app client authenticated by Azure Active Directory

1. Create an Azure API Api that returns contact data
2. Deploy the API App to Azure App Service.
3. Secure the API App using Azure Active Directory.

Then I was able to retrieve the token, and as you can see from the following demo, my code is no different than your code, except that it using a later version of the using Microsoft.IdentityModel.Clients.ActiveDirectory libraries that use Async.

Get access token from AAD

class Program
{
    static void Main(string[] args)
    {
        var authContext = new AuthenticationContext(Constants.AUTHORITY);
        var credential = 
            new ClientCredential(Constants.CLIENT_ID, Constants.CLIENT_SECRET);
        var result = (AuthenticationResult)authContext
            .AcquireTokenAsync(Constants.API_ID_URL, credential)
            .Result;
        var token = result.AccessToken;
        Console.WriteLine(token.ToString());
        Console.ReadLine();
    }
}

Constants

AUTHORITY. The first segment of this is https://login.microsoftonline.com. The final segment is an allowed tenant. We set the allowed tenant at portal.azure.com, going to the Gateway for our application, and choosing Settings > Identity > Azure Active Directory > Allowed Tenants. My tenant is bigfontoutlook.onmicrosoft.com.

CLIENT_ID. We retrieve this client id from the application that we added to Azure Active Directory. Find this at manage.windowsazure.com > Active Directory > Your Directory > APPLICATIONS > Your Application > CONFIGURE. Once we have retrieved it, we must add it to our Gateway's Azure Active Directory settings in the Client ID field.

CLIENT_SECRET. We create/retrieve this in the same location that we retrieve our client id.

API_ID_URL. We retrieve this within the Gateway blade for our Web API App by choosing Settings > Identity > Azure Active Directory > App URL.

Here are the ones that work for me.

class Constants
{
    public const string AUTHORITY =
     "https://login.microsoftonline.com/bigfontoutlook.onmicrosoft.com/";

    public const string CLIENT_ID = 
      "0d7dce06-c3e3-441f-89a7-f828e210ff6d";

    public const string CLIENT_SECRET =
      "AtRMr+Rijrgod4b9Q34i/UILldyJ2VO6n2jswkcVNDs=";

    public const string API_ID_URL = 
      "https://mvp201514929cfaaf694.azurewebsites.net/login/aad";
}

Final decoded JWT

This is what the decoded JWT access token contains.

{
 typ: "JWT",
 alg: "RS256",
 x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
 kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
 aud: "https://mvp201514929cfc350148cfa5c9b24a7daaf694.azurewebsites.net/login/aad",
 iss: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/",
 iat: 1442346927,
 nbf: 1442346927,
 exp: 1442350827,
 ver: "1.0",
 tid: "0252f597-5d7e-4722-bafa-0b26f37dc14f",
 oid: "5a6f33eb-b622-4996-8a6a-600dce355389",
 sub: "5a6f33eb-b622-4996-8a6a-600dce355389",
 idp: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/",
 appid: "0d7dce06-c3e3-441f-89a7-f828e210ff6d",
 appidacr: "1"
}.

Note: It's a throwaway app in a throwaway active directory account with a throwaway resource group, so showing my security credentials is a non-issue.

Diagram just to be sure :)

这篇关于无法从Azure的AD得到承载令牌API应用程序使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！