使用 AAD 对 Azure API 应用程序进行身份验证时出现

问题描述

我有一个 API 应用程序在网关主机上运行良好，现在网关主机已被弃用，我正在尝试遵循 迁移指南.我已经使用 2.8.1 SDK 重新部署了我的服务，并且可以使用 AAD 或 Microsoft 帐户使用浏览器登录该服务，并使用 Swagger 测试该服务.但是，我试图让客户端使用 ClientId 和 Secret 访问服务.该代码能够从 AAD 获取访问令牌，但每当我尝试访问其中一项服务资源时，总是会收到 401 错误.

I have an API app that has been working fine with a Gateway Host and now that the gateway host is being deprecated I'm trying to follow the Migration Guide. I've redeployed my service using the 2.8.1 SDK and can log into the service with a browser using AAD or a Microsoft account and use Swagger to test the service. However, I'm trying to get a client to access the service using a ClientId and Secret. The code is able to get the access token from AAD but I always get a 401 error whenever I try to access one of the service resources.

当我调试服务时，我在日志中看到以下内容:

When I debug the service I see the following in the log:

Microsoft.Azure.AppService.Authentication Verbose: 0 : Received request: GET https://[myService].azurewebsites.net/api/[myResource]
Microsoft.Azure.AppService.Authentication Warning: 0 : JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://[myService].azurewebsites.net/'. Did not match:  validationParameters.ValidAudience: '[AAD ClientId]' or validationParameters.ValidAudiences: 'http://[myService].azurewebsites.net'.
Microsoft.Azure.AppService.Authentication Information: 0 : Sending response: 401.71 Unauthorized
The thread 0x3b00 has exited with code 0 (0x0).

问题似乎在于，请求的受众是 https，但 validParameters.ValidAudiences 集合仅包含 http.

What appears to be the issue is that the Audience presented with the request is https but the validParameters.ValidAudiences collection only contains http.

我看不到任何配置受众的方式，并且似乎在 Visual Studio 2015 创建应用服务时正在设置基于 http 的受众.有没有手动编辑 ValidAudience 集合的方法?

I can't see any way of configuring the Audience and it appears that the http based audience is being set when Visual Studio 2015 creates the App Service. Is there a way of manually editing the ValidAudience collection?

作为参考，我的客户端代码是:

For reference my client code is:

    private static void Main(string[] args)
    {
        string app_id_url = "https://[myService].azurewebsites.net/";
        string authority = "https://login.windows.net/[myDirectory].onmicrosoft.com/";
        string clientId = "[AAD ClientId]";
        string clientSecret = "[AAD Client Secret]";
        string apiBaseUrl = "https://[myService].azurewebsites.net/";

        string aadToken = GetTokenForApplication(authority, clientId, clientSecret, app_id_url);

        var apiClient = new HttpClient { BaseAddress = new Uri(apiBaseUrl) };
        apiClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", aadToken);
        var apiResponse = apiClient.GetAsync(apiBaseUrl + @"api/[myResource]").Result;
        string apiResponseContent = apiResponse.Content.ReadAsStringAsync().Result;
        Console.WriteLine(apiResponseContent);
    }

    public static string GetTokenForApplication(string authority, string clientId, string clientSecret, string resourceUrl)
    {
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
        ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
        AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resourceUrl, clientCred);
        string token = authenticationResult.AccessToken;
        return token;
    }

推荐答案

您的问题与有效受众有关.您可能有 2 个选择:

Your problem have something to do with the valid audiences. You may have 2 choices:

选项 1. 尝试使用 WebAPI 客户端 ID 作为 AcquireToken 方法的资源"参数而不是其 Uri 获取令牌.

Option 1. Try to acquire the token with the WebAPI client ID as the AcquireToken method 'resource' parameter, instead of its Uri.

选项 2.如果以前的方法不起作用，您应该使用 Azure 资源资源管理器.导航到您的 Web API，在 config 节点下找到 authSettings JSON 文档，并修改(在更改为读/写模式后)数组 allowedAudiences以满足您的需求.在您的情况下，您可能需要将 http 更改为 https