似乎Azure文档不能给出一个明确的例子来做正确的事。
有Angular4(WebApp)和WebAPI Core 2.0后端。在Azure B2C中配置了两个应用程序。 WebApp在其API访问中具有WebAPI应用程序。
网络应用被重定向到https://login.microsoftonline.com/ {tenant} /oauth2/v2.0/authorize。在那里,提供了凭据,然后AAD B2C使用access_token,token_type,expires_in,id_token url参数回调WebApp页面。
然后,WebApp使用Authorization标头中的access_token向后端的受保护端点发出请求。 MessageReceivedAsync在请求到达后端时被调用,并一直通过验证令牌。
但是,当进程退出方法的下一步时,它将进入AuthenticationFailed并出现错误。
"IDX10501: Signature validation failed. Unable to match 'kid': 'Base64_kid',
token: '{"alg":"RS256","typ":"JWT","kid":"Base64_kid"}.{"iss":"number of claims"}'."
我的理解是Audience是WebAPI应用程序ID。我只有SingIn / Up政策。
我在这里缺少什么来完成没有错误的jwt手动验证?另一个问题,当在验证令牌时创建claimPrincipal时,它如何进入请求上下文以便能够访问受保护的端点?
public IServiceProvider ConfigureServices(IServiceCollection services)
{
services.AddCors();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.SaveToken = true;
options.RequireHttpsMetadata = false;
options.Authority = string.Format("https://login.microsoftonline.com/{0}/v2.0/",
Configuration["Authentication:AzureAd:ida:Tenant"], Configuration["Authentication:AzureAd:ida:Policy"]);
options.Audience = Configuration["Authentication:AzureAd:ida:ClientId"];
options.Events = new JwtBearerEvents
{
OnAuthenticationFailed = AuthenticationFailed,
OnMessageReceived = MessageReceivedAsync,
OnChallenge = Challenge,
OnTokenValidated = TokenValidated
};
});
...
}
private Task MessageReceivedAsync(MessageReceivedContext arg)
{
string jwtToken = null;
var aadInstance = Configuration["Authentication:AzureAd:ida:AADInstance"];
var tenant = Configuration["Authentication:AzureAd:ida:Tenant"];
var audience = Configuration["Authentication:AzureAd:ida:Audience"];
var policy = Configuration["Authentication:AzureAd:ida:Policy"];
var authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
string _issuer = string.Empty;
List<SecurityKey> _signingTokens = null;
var authHeader = arg.HttpContext.Request.Headers["Authorization"];
// 7 = (Bearer + " ").Length
var token = authHeader.ToString().Substring(7);
try
{
string stsDiscoveryEndpoint = string.Format("{0}/v2.0/.well-known/openid-configuration?p={1}", authority, policy);
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint,
new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration config = null;
var openIdConfigTask = Task.Run(async () => {
config = await configManager.GetConfigurationAsync();
});
openIdConfigTask.Wait();
_issuer = config.Issuer;
_signingTokens = config.SigningKeys.ToList();
}
catch(Exception ex)
{
...
}
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
ValidAudience = audience,
ValidIssuer = _issuer,
IssuerSigningKeys = _signingTokens
};
var claimsPrincipal = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken);
//Thread.CurrentPrincipal = claimsPrincipal; ?
//var ticket = new AuthenticationTicket(claimsPrincipal, arg.Scheme.Name); ?
//arg.HttpContext.User = claimsPrincipal; ?
return Task.FromResult(0);
}
答案 0 :(得分:1)
options.Audience属性是正确的(即Web API应用程序的应用程序标识符),但JWT承载认证中间件正在下载错误的签名密钥,因为您似乎没有设置{{1属性为正确的值。
必须包含Azure AD B2C策略。
您应该将其设置为:
options.Authority
如:
https://login.microsoftonline.com/tfp/{tenant}/{policy}/v2.0/'。
作为令牌验证的结果,https://login.microsoftonline.com/tfp/{Configuration["Authentication:AzureAd:ida:Tenant"]}/{Configuration["Authentication:AzureAd:ida:Policy"]}/v2.0/对象包含来自令牌的声明,因此您可以控制访问权限,例如通过范围。