我点击了链接Enable Azure Active Directory in your App Service app,为我的Azure Functions设置AAD身份验证。对于调用Azure函数,我尝试使用以First case: Access token request with a shared secret获取的令牌,并且收到错误状态401“您无权查看此目录或页面”。该访问令牌来自Uri https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token。在测试中,我发现是否从Uri https://login.microsoftonline.com/{tenantId}/oauth2/token请求令牌,它可以工作。为什么呢?
来自https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token的令牌的解码如下。
{
"typ": "JWT",
"nonce": "klkSaiUS7yT5KMshYVJZAkyu5AuDV14yEQLEkxiz2o4",
"alg": "RS256",
"x5t": "huN95IvPfehq34GzBDZ1GXGirnM",
"kid": "huN95IvPfehq34GzBDZ1GXGirnM"
}.{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{tenantId}/",
"iat": 1597615459,
"nbf": 1597615459,
"exp": 1597619359,
"aio": "E2BgYOD6EGiutPFpxY67vVocPgv3AAA=",
"app_displayname": "app Displayname",
"appid": "{appId GUID}",
"appidacr": "1",
"idp": "https://sts.windows.net/{tenantId}/",
"oid": "{GUID}",
"roles": [
"User.ReadWrite.All",
"Group.ReadWrite.All",
"User.Invite.All",
"TeamMember.ReadWrite.All",
"Team.ReadBasic.All",
"GroupMember.ReadWrite.All"
],
"sub": "{GUID}",
"tenant_region_scope": "NA",
"tid": "{tenantId}",
"uti": "lA__6UDggU6QYEGdX0t_AA",
"ver": "1.0",
"xms_tcdt": 1590621751
}.[Signature]
来自https://login.microsoftonline.com/{tenantId}/oauth2/token的令牌的解码如下。
{
"typ": "JWT",
"alg": "RS256",
"x5t": "huN95IvPfehq34GzBDZ1GXGirnM",
"kid": "huN95IvPfehq34GzBDZ1GXGirnM"
}.{
"aud": "00000002-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/{tenantId}/",
"iat": 1597615470,
"nbf": 1597615470,
"exp": 1597619370,
"aio": "E2BgYOAS8fUOUly15/PahOer9u1iBQA=",
"appid": "{appId GUID}",
"appidacr": "1",
"idp": "https://sts.windows.net/{tenantId}/",
"oid": "{GUID}",
"sub": "{GUID}",
"tenant_region_scope": "NA",
"tid": "{tenantId}",
"uti": "3wr4Ulqcs0ueW77ZacF4AA",
"ver": "1.0"
}.[Signature]
我知道两个令牌具有不同的受众,并且已将这两个令牌都添加到Azure Functions的AAD身份验证的“允许的令牌受众”中。
请帮助我理解这一点。非常感谢。