从Angular 7(MSAL)调用ASP.NET Core 2.2时,颁发者无效

时间:2019-01-14 15:00:03

标签: angular asp.net-core-webapi openid-connect azure-ad-b2c msal

带有Azure AD B2C的ASP.NET Core 2.2应用程序(使用URL Endpooint v2.0):

我按如下AppSettings.js配置了核心应用程序:

"AzureAdB2C": {
  "Instance": "https://login.microsoftonline.com/tfp",
  "ClientId": "{ClientIdGuid}",
  "Domain": "{Subdomain}.onmicrosoft.com",
  "SignUpSignInPolicyId": "B2C_1_SignUpSignInDevelopment"
}

启动:

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddAuthentication(AzureADB2CDefaults.JwtBearerAuthenticationScheme)
    .AddAzureADB2CBearer(o => Configuration.Bind("AzureAdB2C", o));    
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    ...
    app.UseAuthentication();
    app.UseMvc(o=>{o.MapRoute(name:"d",template:"{controller}/{action=Index}/{id?}");});   
}

我的Angular 7客户端使用具有以下设置的MSAL:

MsalModule.forRoot({
  clientID: environment.azureB2CClientID,
  authority: "https://" + environment.azureTenantIDSubdomain + ".b2clogin.com/tfp/" +
    environment.azureTenantIDSubdomain + ".onmicrosoft.com/" +
    environment.azureSignUpSignInPolicyId + "/v2.0",
  redirectUri: environment.schemeAndAuthority + "/home",
  validateAuthority: false,
  cacheLocation : "localStorage",
  postLogoutRedirectUri: environment.schemeAndAuthority + "/",
  popUp: false
}),

在调用API时会生成此Bearer JWT:

"exp": 1547479156,
"nbf": 1547475556,
"ver": "1.0",
"iss": "https://{Subdomain}.b2clogin.com/{Guid1}/v2.0/",
"sub": "{Guid2}",
"aud": "{Guid3}",
"nonce": "{Guid4}",
"iat": 1547475556,
"auth_time": 1547475556,
"oid": "{Guid5}",
"tfp": "B2C_1_SignUpSignInDevelopment"

我的.wellknown看起来像这样:https://login.microsoftonline.com/tfp/ {Subdomain} .onmicrosoft.com / B2C_1_SignUpSignInDevelopment / .well-known / openid-configuration 

{
  "issuer": "https://login.microsoftonline.com/{ClientGuid}/",
  "authorization_endpoint": "https://login.microsoftonline.com/te/{Subdomain}.onmicrosoft.com/b2c_1_signupsignindevelopment/oauth2/authorize",
  "token_endpoint": "https://login.microsoftonline.com/te/{Subdomain}.onmicrosoft.com/b2c_1_signupsignindevelopment/oauth2/token",
    ...
}

每当我调用受[Authorize]保护的API控制程序(ASP.NET Core 2.2)时,我都会收到401:

www-authenticate: Bearer error="invalid_token", error_description="The issuer is invalid"

我意识到,.well-known中的Issuer与生成的Bearer JWT不同。但是我没有在Angular或Azure AD B2C方面设置发行者。

此问题是由Angular和Azure AD B2C方面的不同发行者引起的吗?如果是这样,我应该更改哪个发行人以及如何更改?

1 个答案:

答案 0 :(得分:1)

您必须确保发行人域对于客户端应用程序和API应用程序都是一致的;否则,将向客户端应用程序发出一个发行者域的访问令牌,而API应用程序正在为另一个发行者域对其进行验证。

您正在将{tenant}.b2clogin.com用于客户端应用程序,并将login.microsoftonline.com用于API应用程序。

我建议您同时使用{tenant}.b2clogin.com

相关问题
最新问题