在我的应用程序中,我使用了基于Azure AD令牌的用户上下文。
我在招摇中实施了azure ad隐式流程,该流程以正确的方式返回令牌并正常工作。但是我尝试使用基于MSAL或ADAL Js的sharepoint / JQuery / Mobile应用程序来获取令牌。该令牌传入标头。但是,抛出错误IDX10511签名验证失败。
我搜索了许多网站。我不知道如何验证Microsoft Graph API令牌。
任何人都知道,请分享您的知识。或其他任何方法来验证Graph API签名。
在我的示例代码中
IList<string> validateAudience = new List<string>() { "00000003-0000-0000-c000-000000000000", $"{clientId1}", $"{clientId}", "https://graph.microsoft.com", "https://example.sharepoint.com", $"api://{clientId1}/user.read", $"api://{clientId}/user.read", $"api://{clientId}" };
var metaDataUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/.well-known/openid-configuration";
//OpenIdConnectConfiguration openidconfig = OpenIdConnectConfigurationRetriever.GetAsync(metaDataUrl, CancellationToken.None).Result;
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>($"https://sts.windows.net/{TenantId}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
var openidconfig = configManager.GetConfigurationAsync().Result;
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddAzureAd(options =>
{
Configuration.Bind("AzureAd", options);
})
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, _ =>
{
_.Audience = Configuration["ClientId"];
_.Authority = "https://login.microsoftonline.com/{TenantId}/v2.0";
_.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
{
ValidateAudience = false,
ValidAudiences = validateAudience,
ValidateIssuer = false,
ValidIssuer = "https://sts.windows.net/{TenantId}/",
ValidIssuers = new List<string>() { "https://login.microsoftonline.com/{TenantId}/v2.0", "https://sts.windows.net/{TenantId}/" },
ValidateIssuerSigningKey = false,
IssuerSigningKeys = openidconfig.SigningKeys,
RequireExpirationTime = true,
ValidateLifetime = false,
RequireSignedTokens = false,
};
_.RequireHttpsMetadata = false;
_.Events = new JwtBearerEvents
{
OnChallenge = context =>
{
return Task.CompletedTask;
},
OnMessageReceived = context =>
{
return Task.CompletedTask;
},
OnForbidden = context =>
{
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
return Task.CompletedTask;
}
};
});
我已调试了基于MSAL和ADAL JS的应用程序,生成的令牌始终会收到OnAuthenticationFailed事件,并且会引发异常
“ IDX10511:签名验证失败。尝试的密钥:'Microsoft.IdentityModel.Tokens.X509SecurityKey,KeyId:'1E50B4475DAC931359D564309A3385FFAB7FB431',InternalId:'f61f7746-3cff-4557-8b2c-b47fad9cf1e3'564FF4DACFB93B4D3DFAFA3FA4B3DFABFA3FA4B3D5FA4B3D5FA5B4D5FA4B3D5FA4B4B4B&F3D4B4B&F4C&B&B&B; 4E4B&F4B&B&B; 4E5B&D&B&B >
已解析的JWT令牌图像