我有一个库存文件|new|web|asp.net核心web api项目模板,我在其中选择了生成以下Startup.cs 的AzureAD身份验证
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}
以及以下appsettings.json
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mymsdn.onmicrosoft.com",
"TenantId": "<my azuread tenant id>",
"ClientId": "<my azuread web app id>"
}
我正在使用poster来获取利用公共客户端配置文件应用程序设置的令牌,就像我为另一个web api设置所做的那样,该设置使用相同的azureAd承载令牌身份验证代码和设置坐标按预期工作。
由于某种原因,这个应用程序试图验证错误的令牌颁发者格式,我不知道如何更正它。
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AzureADJwtBearer was not authenticated. Failure message: IDX10205: Issuer validation failed. Issuer: 'https://login.microsoftonline.com/<my azuread tenantid>/v2.0'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://sts.windows.net/<my azuread tenantid>/'.
事实证明,如果您为ClientId配置了azuread应用程序注册条目,以支持任何组织或消费者(即microsoft帐户)登录,而不仅仅是您的组织或任何组织,则会出现此问题。修复方法是使用下面显示的Startup.ConfigureServices()代码的AddJwtBearer()块,而不是项目模板提供的AddAzureADBearer()块。
public void ConfigureServices(IServiceCollection services)
{
// if azuread app registrations entry for ClientId has "signInAudience": "AzureADMyOrg" or "AzureADMultipleOrgs" where "iss": "https://sts.windows.net/{TenantId}/"
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => //Configuration.Bind("AzureAd", options));
{
Configuration.Bind("AzureAd", options);
Log.LogInformation($"the AddAzureADBearer options have been configured for ClientId = {options.ClientId}");
});
// if azuread app registrations entry for ClientId has "signInAudience": "AzureADandPersonalMicrosoftAccount" where "iss": "https://login.microsoftonline.com/{TenantId}/v2.0"
services.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
var azureadoptions = new AzureADOptions(); Configuration.Bind("AzureAd", azureadoptions);
options.Authority = $"{azureadoptions.Instance}{azureadoptions.TenantId}/v2";
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidAudience = $"{azureadoptions.ClientId}",
//ValidAudiences = new List<string> { $"{azureadoptions.ClientId}", $"api://{azureadoptions.ClientId}", $"https://myapp.azurewebsites.net/" },
//ValidIssuer = $"https://sts.windows.net/{azureadoptions.TenantId}/" // for "signInAudience": "AzureADMyOrg" or "AzureADMultipleOrgs"
ValidIssuer = $"{azureadoptions.Instance}{azureadoptions.TenantId}/v2.0" // for "signInAudience": "AzureADandPersonalMicrosoftAccount"
//ValidIssuers = new List<string> { $"https://sts.windows.net/{azureadoptions.TenantId}/", $"{azureadoptions.Instance}{azureadoptions.TenantId}/v2.0" }
};
Log.LogInformation($"the AddJwtBearer options have been configured for ClientId = {azureadoptions.ClientId}");
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}
我试图在web api中验证uwp应用程序中的现有令牌,但我遇到了类似的问题:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBeaerHandler:信息:无法验证令牌。
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException:IDX10205:颁发者验证失败。颁发者:'https://spolujizda.b2clogin.com/4e8094c9-5058-454c-b201-ef61d7ae6619/v2.0/"。不匹配:validationParameters.ValidIssuer:"null"或validationParameters.FalidIssuers:"https://login.microsoftonline.com/4e8094c9-5058-454c-b201-ef61d7ae6619/v2.0/"。
位于Microsoft.IdentityModel.Tokens.Validators.ValidateScrever(字符串颁发者,SecurityToken SecurityToken,TokenValidationParameters validationParameters)
位于System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateScreatorSystem.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken,TokenValidationParameters validationParametersMicrosoft.AspNetCore.Authentication.JwtBearer.JwtBear.HandleAuthenticateAsync()
Microsoft.AspNetCore.Authenticating.JwtBeaer.JwtBearHandler:信息:AzureADB2CJwtBearer未通过身份验证。失败消息:IDX10205:发卡机构验证失败。颁发者:'https://spolujizda.b2clogin.com/4e8094c9-5058-454c-b201-ef61d7ae6619/v2.0/"。不匹配:validationParameters.ValidIssuer:"null"或validationParameters.FalidIssuers:"https://login.microsoftonline.com/4e8094c9-5058-454c-b201-ef61d7ae6619/v2.0/"。Microsoft.AspNetCore.Mvc.Interal.ControllerActionInvoker:信息:路由与{action="Get",controller="Values"}匹配。执行操作Spolujizda.ApiServer.Controllers.ValuesController.Get(Spolujizida.ApiServer)Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:信息:授权失败。Microsoft.AspNetCore.Mvc.Interal.ControllerActionInvoker:信息:筛选器"Microsoft.AspNetCore.Mvc。Authorization。AuthorizeFilter"处的请求授权失败。Microsoft.AspNetCore.Mvc.CharllengeResult:信息:使用身份验证方案执行ChallengeResult()。Microsoft.AspNetCore.Authentication.JwtBearer.JwtBeaerHandler:信息:AuthenticationScheme:AzureADB2CJwtBearer受到挑战。Microsoft.AspNetCore.Mvc.Interal.ControllerActionInvoker:信息:在8.105ms内执行的操作Spolujizda.ApiServer.Controllers.ValuesController.Get(Spoluji兹da.ApiServer)Microsoft.AspNetCore.Hosting.Internal.WebHost:信息:请求在8954.4739ms 401文本/普通中完成
但对我来说,修复要简单得多。
对于Web API,我将AzureAdB2C实例设置为https://spolujizda.b2clogin.com/tfp/。
对于UWP应用程序,我一直在通过https://login.microsoftonline.com/tfp/发行代币
这就是它导致这个错误的原因。因为在UWP应用程序中,令牌是为login.microsoft颁发的。。。在Web API中,它试图验证颁发者是否为spolujizda.b2clogin…
首先,我试图更改uwp应用程序的令牌发布地址,但没有成功。
所以第二,我只是将web api的AzureAdB2C实例配置更改为login.microsoft……现在它可以工作了。