使用AAD验证到的Azure API应用程序时401错误 [英] 401 error when authenticating to an Azure API App using AAD
问题描述
我已经工作正常与网关主机和现在的网关主机正在德precated我想跟随的迁移指南。我用我的服务2.8.1 SDK,并可以使用AAD或Microsoft帐户登录到使用浏览器的服务,并使用扬鞭测试服务重新部署。不过,我试图让一个客户端访问使用一个clientId和秘密的服务。在code是能够从AAD获得访问令牌,但我总是得到一个401错误,每当我尝试访问该服务的资源之一。
当我调试我在日志中看到以下服务:
Microsoft.Azure.AppService.Authentication详细:0:收到的请求:GET https://开头[为myService] .azurewebsites.net / API / [myResource]
Microsoft.Azure.AppService.Authentication警告:0:JWT验证失败:IDX10214:观众验证失败。观众:https://开头[为myService] .azurewebsites.net /'。不匹配:validationParameters.ValidAudience:[AAD客户端Id]或validationParameters.ValidAudiences:HTTP:// [为myService] .azurewebsites.net。
Microsoft.Azure.AppService.Authentication信息:0:发送响应:401.71未经授权
线程0x3b00已退出与code 0(为0x0)。
什么似乎是问题是,与请求psented观众$ P $为https,但validParameters.ValidAudiences集合只包含HTTP。
我看不到配置观众的任何方式,它出现时的Visual Studio 2015年创建的应用程序服务的基于http观众被设置。是否有手动编辑ValidAudience集合的方式?
有关参考我的客户code是:
私有静态无效的主要(字串[] args)
{
字符串app_id_url =https://开头[为myService] .azurewebsites.net /;
字符串权威=https://login.windows.net/[myDirectory].onmicrosoft.com/;
字符串的clientId =[AAD客户端Id];
字符串clientSecret =[AAD客户端密钥];
字符串apiBaseUrl =https://开头[为myService] .azurewebsites.net /; 字符串aadToken = GetTokenForApplication(权威,客户端ID,clientSecret,app_id_url); VAR apiClient =新的HttpClient {BaseAddress =新的URI(apiBaseUrl)};
apiClient.DefaultRequestHeaders.Authorization =新AuthenticationHeaderValue(旗手,aadToken);
VAR apiResponse = apiClient.GetAsync(apiBaseUrl + @API / [myResource])结果。
字符串apiResponseContent = apiResponse.Content.ReadAsStringAsync()结果。
Console.WriteLine(apiResponseContent);
} 公共静态字符串GetTokenForApplication(字符串权威,字符串的clientId,串clientSecret,串resourceUrl)
{
AuthenticationContext authenticationContext =新AuthenticationContext(权威,FALSE);
ClientCredential clientCred =新ClientCredential(客户端ID,clientSecret);
AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resourceUrl,clientCred);
字符串标记= authenticationResult.AccessToken;
返回记号。
}
您的问题有什么做的有效受众。您可以有两个选择:
选项1.试图获得与客户端的WebAPI ID作为AcquireToken方法'资源'参数标记,而不是它的URI的。
选项2.如果previous方法不奏效,你应该修改应用程序服务API的身份验证设置,使用的天青资源管理器。导航到你的Web API,找到配置节点下的 authSettings JSON文件,并修改(已改为后/写入模式)数组 allowedAudiences 来满足您的需求。你的情况,你可能需要更改 HTTP 到 HTTPS
I have an API app that has been working fine with a Gateway Host and now that the gateway host is being deprecated I'm trying to follow the Migration Guide. I've redeployed my service using the 2.8.1 SDK and can log into the service with a browser using AAD or a Microsoft account and use Swagger to test the service. However, I'm trying to get a client to access the service using a ClientId and Secret. The code is able to get the access token from AAD but I always get a 401 error whenever I try to access one of the service resources.
When I debug the service I see the following in the log:
Microsoft.Azure.AppService.Authentication Verbose: 0 : Received request: GET https://[myService].azurewebsites.net/api/[myResource]
Microsoft.Azure.AppService.Authentication Warning: 0 : JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://[myService].azurewebsites.net/'. Did not match: validationParameters.ValidAudience: '[AAD ClientId]' or validationParameters.ValidAudiences: 'http://[myService].azurewebsites.net'.
Microsoft.Azure.AppService.Authentication Information: 0 : Sending response: 401.71 Unauthorized
The thread 0x3b00 has exited with code 0 (0x0).
What appears to be the issue is that the Audience presented with the request is https but the validParameters.ValidAudiences collection only contains http.
I can't see any way of configuring the Audience and it appears that the http based audience is being set when Visual Studio 2015 creates the App Service. Is there a way of manually editing the ValidAudience collection?
For reference my client code is:
private static void Main(string[] args)
{
string app_id_url = "https://[myService].azurewebsites.net/";
string authority = "https://login.windows.net/[myDirectory].onmicrosoft.com/";
string clientId = "[AAD ClientId]";
string clientSecret = "[AAD Client Secret]";
string apiBaseUrl = "https://[myService].azurewebsites.net/";
string aadToken = GetTokenForApplication(authority, clientId, clientSecret, app_id_url);
var apiClient = new HttpClient { BaseAddress = new Uri(apiBaseUrl) };
apiClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", aadToken);
var apiResponse = apiClient.GetAsync(apiBaseUrl + @"api/[myResource]").Result;
string apiResponseContent = apiResponse.Content.ReadAsStringAsync().Result;
Console.WriteLine(apiResponseContent);
}
public static string GetTokenForApplication(string authority, string clientId, string clientSecret, string resourceUrl)
{
AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resourceUrl, clientCred);
string token = authenticationResult.AccessToken;
return token;
}
Your problem have something to do with the valid audiences. You may have 2 choices:
Option 1. Try to acquire the token with the WebAPI client ID as the AcquireToken method 'resource' parameter, instead of its Uri.
Option 2. If the previous method didn't work, you should have to modify the authentication settings of the App Service API, using Azure Resources Explorer. Navigate to your web API, find the authSettings JSON document under the config node, and modify (after having changed to Read/Write mode) the array allowedAudiences to match your needs. In your case you may have to change http to https
这篇关于使用AAD验证到的Azure API应用程序时401错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
