无法从 Azure AD 获取不记名令牌以与 API 应用程序
时间:2023-05-07问题描述
我有一个 MVC 应用程序需要访问受 Azure AD 身份验证保护的 Azure 中的私有 API 应用程序.所以我需要获取 Azure AD 承载令牌,将其传输到 Zumo-Auth 令牌并使用它来访问 API 应用程序.
我正在浏览
当我尝试使用 https://MyADDomain.onmicrosoft.com/MyAppName 或 https://MyADDomain.onmicrosoft.com/ 作为 appIdUri 我收到一条不同的异常消息:
400:AdalServiceException:AADSTS50105:应用程序04472E33-2638-FAKE-GUID-F826AF4928DB"未分配给应用程序
I have an MVC application that needs to access private API App in Azure that is protected with Azure AD authentication. So I need to get Azure AD bearer token, transfer it into Zumo-Auth token and use it to access the API App.
I'm going through this tutorial and everything is working fine until the point when I need to request the token from authContext. Here is the snippet of a code:
var authContext = new AuthenticationContext(
"https://login.microsoftonline.com/MyADDomain.onmicrosoft.com");
ClientCredential credential = new ClientCredential(
"04472E33-2638-FAKE-GUID-F826AF4928DB",
"OMYAPIKEY1x3BLAHEMMEHEHEHEHEeYSOMETHINGRc=");
// Get the AAD token.
var appIdUri =
"https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad";
//var appIdUri = "https://MyADDomain.onmicrosoft.com/MyAppName";
//var appIdUri = "https://MyADDomain.onmicrosoft.com/";
//var appIdUri = "https://graph.windows.net";
AuthenticationResult result =
authContext.AcquireToken(appIdUri, credential); // <-- can't get the token from AD
// downhill from here
var aadToken = new JObject();
aadToken["access_token"] = result.AccessToken;
var appServiceClient = new AppServiceClient(
"https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/");
// Send the AAD token to the gateway and get a Zumo token
var appServiceUser = await appServiceClient.LoginAsync("aad", aadToken);
The line with authContext.AcquireToken(appIdUri, credential) is the one causing trouble.
If as appIdUri I give https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad, I get exception:
400: AdalServiceException: AADSTS50001: Resource 'https://MyAppGateway-814485545465FAKE4d5a4532cd.azurewebsites.net/login/aad' is not registered for the account.
But this exact line is in the list of Reply Url in the AD Application
When I try to use https://MyADDomain.onmicrosoft.com/MyAppName or https://MyADDomain.onmicrosoft.com/ as appIdUri I get a different exception message:
400: AdalServiceException: AADSTS50105: Application '04472E33-2638-FAKE-GUID-F826AF4928DB' is not assigned to a role for the application 'https://MyADDomain.onmicrosoft.com/MyAppName'
Or
400: AdalServiceException: AADSTS50105: Application '04472E33-2638-FAKE-GUID-F826AF4928DB' is not assigned to a role for the application 'https://MyADDomain.onmicrosoft.com/'
In both cases I had the App ID URI in the AD Application set to 'https://MyADDomain.onmicrosoft.com/MyAppName' or 'https://MyADDomain.onmicrosoft.com/'. And both of the names in the list of Reply URL.
Eventually after enough tries I have put https://graph.windows.net as appIdUri and got the bearer token back. But the token was given with expiry date in the past (about 1 minute in the past). So I could not do anything further with this. And got 401-Unauthenticated when tried to use the token to login into API App.
What am I missing?
I have gone ahead and followed the tutorial to which you referred: Call an Azure API app from a web app client authenticated by Azure Active Directory
- Create an Azure API Api that returns contact data
- Deploy the API App to Azure App Service.
- Secure the API App using Azure Active Directory.
Then I was able to retrieve the token, and as you can see from the following demo, my code is no different than your code, except that it using a later version of the using Microsoft.IdentityModel.Clients.ActiveDirectory libraries that use Async.
Get access token from AAD
class Program
{
static void Main(string[] args)
{
var authContext = new AuthenticationContext(Constants.AUTHORITY);
var credential =
new ClientCredential(Constants.CLIENT_ID, Constants.CLIENT_SECRET);
var result = (AuthenticationResult)authContext
.AcquireTokenAsync(Constants.API_ID_URL, credential)
.Result;
var token = result.AccessToken;
Console.WriteLine(token.ToString());
Console.ReadLine();
}
}
Constants
AUTHORITY. The first segment of this is https://login.microsoftonline.com. The final segment is an allowed tenant. We set the allowed tenant at portal.azure.com, going to the Gateway for our application, and choosing Settings > Identity > Azure Active Directory > Allowed Tenants. My tenant is bigfontoutlook.onmicrosoft.com.
CLIENT_ID. We retrieve this client id from the application that we added to Azure Active Directory. Find this at manage.windowsazure.com > Active Directory > Your Directory > APPLICATIONS > Your Application > CONFIGURE. Once we have retrieved it, we must add it to our Gateway's Azure Active Directory settings in the Client ID field.
CLIENT_SECRET. We create/retrieve this in the same location that we retrieve our client id.
API_ID_URL. We retrieve this within the Gateway blade for our Web API App by choosing Settings > Identity > Azure Active Directory > App URL.
Here are the ones that work for me.
class Constants
{
public const string AUTHORITY =
"https://login.microsoftonline.com/bigfontoutlook.onmicrosoft.com/";
public const string CLIENT_ID =
"0d7dce06-c3e3-441f-89a7-f828e210ff6d";
public const string CLIENT_SECRET =
"AtRMr+Rijrgod4b9Q34i/UILldyJ2VO6n2jswkcVNDs=";
public const string API_ID_URL =
"https://mvp201514929cfaaf694.azurewebsites.net/login/aad";
}
Final decoded JWT
This is what the decoded JWT access token contains.
{
typ: "JWT",
alg: "RS256",
x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
aud: "https://mvp201514929cfc350148cfa5c9b24a7daaf694.azurewebsites.net/login/aad",
iss: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/",
iat: 1442346927,
nbf: 1442346927,
exp: 1442350827,
ver: "1.0",
tid: "0252f597-5d7e-4722-bafa-0b26f37dc14f",
oid: "5a6f33eb-b622-4996-8a6a-600dce355389",
sub: "5a6f33eb-b622-4996-8a6a-600dce355389",
idp: "https://sts.windows.net/0252f597-5d7e-4722-bafa-0b26f37dc14f/",
appid: "0d7dce06-c3e3-441f-89a7-f828e210ff6d",
appidacr: "1"
}.
Note: It's a throwaway app in a throwaway active directory account with a throwaway resource group, so showing my security credentials is a non-issue.
Diagram just to be sure :)
这篇关于无法从 Azure AD 获取不记名令牌以与 API 应用程序一起使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持html5模板网!
相关文章
ASP.NET Core 使用 Azure Active Directory 进行身份验证并ASP.NET Core authenticating with Azure Active Directory and persisting custom Claims across requests(ASP.NET Core 使用 Azure Active Directory 进行身- ASP.NET Core 2.0 Web API Azure Ad v2 令牌授权不起作用ASP.NET Core 2.0 Web API Azure Ad v2 Token Authorization not working(ASP.NET Core 2.0 Web API Azure Ad v2 令牌授权不起作用)
- ASP Core Azure Active Directory 登录使用角色ASP Core Azure Active Directory Login use roles(ASP Core Azure Active Directory 登录使用角色)
- 如何获取守护进程或服务器到 C# ASP.NET Web API 的How do I get Azure AD OAuth2 Access Token and Refresh token for Daemon or Server to C# ASP.NET Web API(如何获取守护进程或服务器到 C# ASP.N
- .Net Core 2.0 - 获取 AAD 访问令牌以与 Microsoft Graph.Net Core 2.0 - Get AAD access token to use with Microsoft Graph(.Net Core 2.0 - 获取 AAD 访问令牌以与 Microsoft Graph 一起使用)
- 异步调用时 Azure KeyVault Active Directory AcquireTokenAAzure KeyVault Active Directory AcquireTokenAsync timeout when called asynchronously(异步调用时 Azure KeyVault Active Directory AcquireTokenAsync 超
最新文章
- .net 核心中的混合身份验证与 Open Id Connect 和本地
- 使用 ADAL 检测到的 multiple_matching_tokens_detected
- 如何配置 Azure AD 访问令牌的过期时间(使用 ADAL
- 在 .net core 3.1.1 Web 应用程序中更改 AzureAD 身份验
- IDX21323 OpenIdConnectProtocolValidationContext.Nonce 为空,
- Graph API - 权限不足,无法完成操作
- asp.net mvc 和 azure 基于活动目录安全组的授权
- 使用 Azure Active Directory 的 Azure Function 身份验证
- 在声明中获取 Azure AD 用户所属的组列表
- 使用托管标识与 Azure SQL 的 EF Core 连接