.net 核心 2.2 Azure Ad Jwt 令牌
Posted
技术标签:
【中文标题】.net 核心 2.2 Azure Ad Jwt 令牌【英文标题】:.net core 2.2 Azure Ad Jwt Token 【发布时间】:2020-08-24 06:16:29 【问题描述】:我正在尝试在我的 .net core 2.2 中间件中验证从库 react-aad-msal 获得的 Azure 广告令牌。令牌似乎是有效的,但我从后端收到此错误
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
这是我的中间件
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(x =>
x.RequireHttpsMetadata = false;
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false,
ValidIssuer = appSettings.Issuer,
ValidAudience = appSettings.Audience
;
)
.AddJwtBearer("AzureAd", opt =>
//opt.Authority = "https://login.microsoftonline.com/organizations";
opt.Authority = "https://login.microsoftonline.com/organizations";
opt.Audience = "api://xxxxxxxxxxxxxxxxxxxxxxxx"; // Set this to the App ID URL for the web API, which you created when you registered the web API with Azure AD.
URL for the web API, which you created when you registered the web API with Azure AD.
opt.TokenValidationParameters = new TokenValidationParameters
ValidateIssuer = true,
ValidateAudience = true,
ValidAudiences = new List<string>
// you could add a list of valid audiences
"yyyyyyyyyyyyyyyyyy"
,
ValidIssuers = new List<string>
// Add tenant id after https://sts.windows.net/
//"https://sts.windows.net/YourTenantId" //Questa è per la versione 1 del token
"https://login.microsoftonline.com/xxxxxxxxxxxxx"
;
opt.Events = new JwtBearerEvents()
OnAuthenticationFailed = AuthenticationFailed
;
);
services.AddAuthorization(options =>
var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
JwtBearerDefaults.AuthenticationScheme,
"AzureAd");
defaultAuthorizationPolicyBuilder =
defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
);
令牌已从 azure ad 正确发出,因为如果我在 reactjs 文件中解码该令牌,似乎有正确的信息。但是,当我尝试使用 [Authorize] 属性访问受保护的 WEB API 时,会出现错误。 感谢您的帮助!
【问题讨论】:
【参考方案1】:替换
opt.Authority = "https://login.microsoftonline.com/organizations";
与
opt.Authority = "https://login.microsoftonline.com/tenant id or name";
【讨论】:
以上是关于.net 核心 2.2 Azure Ad Jwt 令牌的主要内容,如果未能解决你的问题,请参考以下文章
ASP.NET Core 2.2 中的 Azure AD 身份验证
Azure AD 多租户,.Net Core Web API 与 JWT 令牌
带有 JWT Bearer 令牌和 ASP.NET Core 2 WebApi 的 Azure AD 用户信息
ASP.NET Core MVC 向 Azure AD 验证用户,然后创建 JWT Bearer Token 以调用 Web API