我有两个应用程序,一个Web应用程序(Web-UI)和一个Web API。 首先,我在Web-UI中实现了Azure AD身份验证。 这两个应用程序都在Azure中注册并相互推进.--
首先是我的配置
tenant: '99c7da52-56fc-49ca-aa95-111111111111',
clientId: '6b0a79eb-0e0d-4a00-9652-111111111111
登录就像一个魅力我成功获得了令牌。在这里它看起来如下:
Header
{
"typ": "JWT",
"nonce": "AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA",
"alg": "RS256",
"x5t": "z44wMdHu8wKsumrbfaK98qxs5YI",
"kid": "z44wMdHu8wKsumrbfaK98qxs5YI"
}
Payload
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/99c7da52-56fc-49ca-aa95-8f7fb09c995e/",
"iat": 1517145610,
"nbf": 1517145610,
"exp": 1517149510,
"acr": "1",
"aio": "ATQAy/8GAAAAYOQzoNWpu5XcyTPibpz9lnb/bMGY3H4iTdEdz/zvWwrTt1mvvWiLToaNPYZwHsBD",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "My Project",
"appid": "6b0a79eb-0e0d-4a00-9652-3098cc95804f",
"appidacr": "0",
"e_exp": 262800,
"family_name": "XXXXXXXXX",
"given_name": "XXXXXXXXXX",
"ipaddr": "93.245.65.135",
"name": "Myname, Firstname",
"oid": "1a4d0d0f-8137-4c1d-aa34-2cccf10f8206",
"platf": "3",
"puid": "100300008AAF747A",
"scp": "Directory.Read.All email Group.Read.All profile User.Read User.Read.All User.ReadBasic.All",
"sub": "IBv63_IIq4zpkv_UlVwaxmAm0RP3d17xq4hKil4HRD0",
"tid": "89c7da52-56fc-49ca-aa95-8f7fb09c995e",
"unique_name": "XXXXXXXXXXXXXXX",
"upn": "XXXXXXXXXXXXXXX",
"uti": "LVVtGIEcXUuEofBatBYVAA",
"ver": "1.0"
}
我删除了这些信息。所以现在我使用Token对抗我的Web.Api包含以下设置:
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/common",
"ClientId": "f5afed6b-e09c-4c7d-90cc-222222222222",
"Domain": "myhost.de"
}
我的启动文件看起来:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAdB2C", options));
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseAuthentication();
app.UseMvc();
}
}
当我使用与“Bearer {tokenstring}”相同的标记使用Postman调用api时没有。它告诉我401没有授权。
在控制台的调试日志中出现了这个:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: z44wMdHu8wKsumrbfaK98qxs5YI
'.
Exceptions caught:
''.
token: '{"alg":"RS256","typ":"JWT","nonce":"AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA","x5t":"z44wMdHu8wKsumrbfaK98qxs5YI","kid":"z44wMdHu8wKsumrbfaK98qxs5YI"}.{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/99c7da52-56fc-49ca-aa95-8f7fb09c995e/","iat":1517145610,"nbf":1517145610,"exp":1517149510,"acr":"1","aio":"ATQAy/8GAAAAYOQzoNWpu5XcyTPibpz9lnb/bMGY3H4iTdEdz/zvWwrTt1mvvWiLToaNPYZwHsBD","amr":["pwd","mfa"],"app_displayname":"Project Avalon Dev","appid":"6b0a79eb-0e0d-4a00-9652-3098cc95804f","appidacr":"0","e_exp":262800,"family_name":"XXXXX","given_name":"Sascha Peter","ipaddr":"93.245.65.135","name":"XXXX","oid":"da4d0d0f-8137-4c1d-aa34-2cccf10f8206","platf":"3","puid":"100300008AAF747A","scp":"Directory.Read.All email Group.Read.All profile User.Read User.Read.All User.ReadBasic.All","sub":"IBv63_IIq4zpkv_UlVwaxmAm0RP3d17xq4hKil4HRD0","tid":"99c7da52-56fc-49ca-aa95-8f7fb09c995e","unique_name":"XXXXX","upn":"xxxxxxx","uti":"LVVtGIEcXUuEofBatBYVAA","ver":"1.0"}'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__6.MoveNext()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: z44wMdHu8wKsumrbfaK98qxs5YI
'.
Exceptions caught:
''.
token: '{"alg":"RS256","typ":"JWT","nonce":"AQABAAAAAABHh4kmS_aKT5XrjzxRAtHzn-GbcsmT8MupNislUn7vudKeuWR-HgBEd2ceWxQ7UulHr-uachkZA9cWVIj5ah3yzI68oYKyzc-QdynAf3a5DSAA","x5t":"z44wMdHu8wKsumrbfaK98qxs5YI...........
我的webapi项目的项目文件如下:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<UserSecretsId>aspnet-Portal.Api-B6631B80-5958-40CC-A783-2E86D5ADA6B5</UserSecretsId>
</PropertyGroup>
<ItemGroup>
<Folder Include="wwwroot\" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.5" />
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.Extensions.SecretManager.Tools" Version="2.0.0" />
<DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.2" />
</ItemGroup>
</Project>
我不知道这个问题是什么问题。我错过了什么吗?我的代码中是否有错误?
答案 0 :(得分:3)
aspnetcore jwt bearer实现无法验证标头中带有nonce的令牌,而这需要特殊处理。您尝试验证的令牌是针对microsoft graph api的,而不是针对您的应用程序。
如果您请求https://login.microsoftonline.com/common/oauth2/authorize?resource= {APPID}
,则可以为您的应用获取令牌我还能够验证资源/ api https://graph.windows.net(而不是https://graph.microsoft.com)的令牌,因为此令牌不包含随机数,但此api根据微软过时而不应使用( https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph)。
了解更多: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609