我正在使用Windows Azure Active Directory身份验证。这用于保护在Azure中调用c#Web API服务的c#windows服务。它已经工作了很长时间但现在我开始得到以下异常:
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 2,
Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0x61B44041161C13F9A8B56549287AF02C16DDFFDB),
Clause[1] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
我不知道这意味着什么或如何解决它:(
更新
在回答有关密钥翻转的评论时,我的网络服务正在使用以下代码:
private void ConfigureAuth(IAppBuilder app)
{
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
},
Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
});
}
根据该链接意味着应该针对此类问题提供保护。
包括孩子在内的令牌的开头如下:
token: '{"typ":"JWT","alg":"RS256","x5t":"YbRAQRYcE_motWVJKHrwLBbd_9s","kid":"YbRAQRYcE_motWVJKHrwLBbd_9s"}
更新2
我在Windows服务中获取令牌的代码:
internal string GetAuthorizationToken()
{
string authority = String.Format(aadInstance, tenant);
var authContext = new AuthenticationContext(authority);
var authResult = AcquireToken(authContext);
return authResult == null ? null : authResult.CreateAuthorizationHeader();
}
/// <summary>
/// Acquires the token.
/// </summary>
/// <param name="authContext">The authentication context.</param>
/// <returns>Authentication Result</returns>
private AuthenticationResult AcquireToken(AuthenticationContext authContext)
{
try
{
return authContext.AcquireTokenAsync(apiResourceId, clientId, new UserPasswordCredential(user, pass)).Result;
}
catch (Exception)
{
return null;
}
}
答案 0 :(得分:0)
当应用程序尝试通过Azure中的令牌中的密钥标识查找签名密钥时会发生此异常,但Azure上的密钥已经翻转。
请在Windows服务中获取新的访问令牌以解决此问题。