Azure AD的Active Directory身份验证例外(AADSTS90027)
[英]Active Directory Authentication Exception (AADSTS90027) with Azure AD
问题描述
I have a native client application which is obtaining an OAuth2 token for Active Directory authorization. 
我有一个本机客户端应用程序,它获取Active Directory授权的OAuth2令牌。 It will then use that token to communicate with a secure Web API server where certain areas of the API are secured using the [Authorize] attribute. 然后,它将使用该令牌与安全的Web API服务器进行通信,其中使用[Authorize]属性保护API的某些区域。 The server is also registered with Azure AD and can properly authorize requests through AD. 该服务器还在Azure AD中注册,可以通过AD正确授权请求。
When I try to get the token, I get the following exception on Line 2 of the code below: 当我尝试获取令牌时,我在下面的代码的第2行得到以下异常:
Additional information: invalid_request: AADSTS90027: The client '<Client GUID>' and resource ' https://abccompany.com/MyApplication.Server ' identify the same application.
Here is my code which I am running in the native client (just on a button press as a test, for now). 这是我在本机客户端中运行的代码(现在只需按下按钮作为测试)。 Obviously the GUID and company names have been obfuscated. 显然,GUID和公司名称已被混淆。
AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/abccompany.com");
AuthenticationResult ar = ac.AcquireToken("https://abccompany.com/MyApplication.Server", "<Client GUID>", new Uri("https://localhost:44300/secure"), PromptBehavior.Auto);
I made sure the redirect existed in Azure in the application configuration (otherwise there would have been a redirect error instead). 我确保在应用程序配置中Azure中存在重定向(否则会出现重定向错误)。 What does the error mean? 错误是什么意思?
1 个解决方案
解决方案1
5 2014-06-30 04:21:07
You seem to be using the clientId of the WebAPI where you need to supply the clientId of the client app. 您似乎正在使用WebAPI的clientId,您需要提供客户端应用程序的clientId。 Please register a separate 'Native client application' in Azure AD representing the client app. 请在Azure AD中注册一个单独的“本机客户端应用程序”,代表客户端应用程序。
The following topic explains the protocol flow and how to register WebAPIs in Azure AD such that users from multiple AD tenants can use that API: http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx#BKMK_Native The following samples should see you through: 以下主题说明了协议流以及如何在Azure AD中注册WebAPI,以便来自多个AD租户的用户可以使用该API: http : //msdn.microsoft.com/en-us/library/azure/dn499820.aspx#BKMK_Native以下示例应该可以看到您:
- Single tenant WebAPI: https://github.com/AzureADSamples/NativeClient-WindowsStore 单租户WebAPI: https : //github.com/AzureADSamples/NativeClient-WindowsStore
- Multi-tenant WebAPI: https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore 多租户WebAPI: https : //github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore
Hope this helps. 希望这可以帮助。
ps: Azure AD doesn't issue a token when the client and resource are the same application. ps:当客户端和资源是同一个应用程序时,Azure AD不会发出令牌。 In your case they should indeed be different and resource clientid (issued to a confidential client) should not be used as a public client - however for service to service scenarios, it can be argued that issuing tokens to self should be allowed - this is something we are looking into. 在您的情况下,它们确实应该是不同的,并且资源密切(发布给机密客户端)不应该用作公共客户端 - 但是对于服务方案服务,可以认为应该允许向自己发放令牌 - 这是某种东西我们正在调查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.