我有一个这样的应用注册:
在我的 webappi 我的应用 settings.json:我有这个:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "xx.com.co",
"TenantId": "xx-c220-48a2-a73f-1177fa2c098e",
"ClientId": "xx-3737-48a5-a6c0-7e3bc4f9a5c9",
"CallbackPath": "/signin-oidc",
"Scopes" : "userimpersonation"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
在我的 Startup.cs 中:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));
在我的控制器中:
[Authorize]
[RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
[ApiController]
[Route("api/[controller]")]
public class WeatherForecastController : ControllerBase
{
所以,我运行了网络应用程序,并通过邮递员获得了一个令牌:
curl --location --request POST 'https://login.microsoftonline.com/xx-c220-48a2-a73f-1177fa2c098e/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: wlidperf=FR=L&ST=1526512036088; fpc=AnqPVmkUS_BIgf3y-QfBcFEzTZcDBQAAAKAv0dcOAAAA; stsservicecookie=ests; x-ms-gateway-slice=prod' \
--form 'grant_type="client_credentials"' \
--form 'client_secret="xx"' \
--form 'client_id="xx-3737-48a5-a6c0-7e3bc4f9a5c9
"' \
--form 'scope="api://xx-3737-48a5-a6c0-7e3bc4f9a5c9/.default
"'
这很好,但是如果我将范围更改为:api://xx-3737-48a5-a6c0-7e3bc4f9a5c9/userimpersonation。
然后我得到这个错误:
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid
如果我使用默认范围提供的令牌,当我调用我的控制器时,我收到以下错误:
System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
at Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilderExtensions.<>c__DisplayClass3_1.<<AddMicrosoftIdentityWebApiImplementation>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)