Question

在我的应用程序中，我使用了基于Azure AD令牌的用户上下文。

我在招摇中实施了azure ad隐式流程，该流程以正确的方式返回令牌并正常工作。但是我尝试使用基于MSAL或ADAL Js的sharepoint / JQuery / Mobile应用程序来获取令牌。该令牌传入标头。但是，抛出错误IDX10511签名验证失败。

我搜索了许多网站。我不知道如何验证Microsoft Graph API令牌。

任何人都知道，请分享您的知识。或其他任何方法来验证Graph API签名。

在我的示例代码中

  IList<string> validateAudience = new List<string>() { "00000003-0000-0000-c000-000000000000", $"{clientId1}", $"{clientId}", "https://graph.microsoft.com", "https://example.sharepoint.com", $"api://{clientId1}/user.read", $"api://{clientId}/user.read", $"api://{clientId}" };
        var metaDataUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/.well-known/openid-configuration";
      
        //OpenIdConnectConfiguration openidconfig = OpenIdConnectConfigurationRetriever.GetAsync(metaDataUrl, CancellationToken.None).Result;
        var configManager = new ConfigurationManager<OpenIdConnectConfiguration>($"https://sts.windows.net/{TenantId}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
        var openidconfig = configManager.GetConfigurationAsync().Result;

    services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    })
   .AddAzureAd(options =>
    {
        Configuration.Bind("AzureAd", options);
    })
        .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, _ =>
          {

              _.Audience = Configuration["ClientId"];
              _.Authority = "https://login.microsoftonline.com/{TenantId}/v2.0";
              _.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
              {
                  ValidateAudience = false,
                  ValidAudiences = validateAudience,

                  ValidateIssuer = false,
                  ValidIssuer = "https://sts.windows.net/{TenantId}/",
                  ValidIssuers = new List<string>() { "https://login.microsoftonline.com/{TenantId}/v2.0", "https://sts.windows.net/{TenantId}/" },

                  ValidateIssuerSigningKey = false,
                  IssuerSigningKeys = openidconfig.SigningKeys,

                  RequireExpirationTime = true,
                  ValidateLifetime = false,
                  RequireSignedTokens = false,
              };
              _.RequireHttpsMetadata = false;
              _.Events = new JwtBearerEvents
              {
                  OnChallenge = context =>
                  {
                      return Task.CompletedTask;
                  },
                  OnMessageReceived = context =>
                  {
                      return Task.CompletedTask;
                  },
                  OnForbidden = context =>
                  {
                      return Task.CompletedTask;
                  },
                  OnAuthenticationFailed = context =>
                  {
                      return Task.CompletedTask;
                  },
                  OnTokenValidated = context =>
                  {
                      return Task.CompletedTask;
                  }
              };
          });

我已调试了基于MSAL和ADAL JS的应用程序，生成的令牌始终会收到OnAuthenticationFailed事件，并且会引发异常

“ IDX10511：签名验证失败。尝试的密钥：'Microsoft.IdentityModel.Tokens.X509SecurityKey，KeyId：'1E50B4475DAC931359D564309A3385FFAB7FB431'，InternalId：'f61f7746-3cff-4557-8b2c-b47fad9cf1e3'564FF4DACFB93B4D3DFAFA3FA4B3DFABFA3FA4B3D5FA4B3D5FA5B4D5FA4B3D5FA4B4B4B＆F3D4B4B＆F4C＆B＆B＆B; 4E4B＆F4B＆B＆B; 4E5B＆D＆B＆B >

已解析的JWT令牌图像

预先感谢。

Microsoft Graph API令牌验证-API服务器中的签名验证失败

0 个答案: