使用Microsoft Graph令牌通过Jwt Bearer令牌保护ASP.NET Core Web API
[英]Using Microsoft Graph token to secure ASP.NET Core Web API with Jwt Bearer tokens
问题描述
We have an ASP.NET Core Web API that I want to secure with Microsoft Graph Access token. 
我们有一个ASP.NET Core Web API,我想用Microsoft Graph Access令牌保护它。 The graph token is valid and I can do graph call it works fine. 图表标记是有效的,我可以做图形调用它工作正常。
However, If I try to access the ASP.NET Core Web API which is configured with JWT Bearer authentication, it gives the following error. 但是,如果我尝试访问配置了JWT Bearer身份验证的ASP.NET Core Web API,则会出现以下错误。
Bearer error="invalid_token", error_description="The signature key was not found
Am I missing some configurations to configure or this is a problem with graph token? 我是否缺少一些要配置的配置,或者这是图令牌的问题? Here is how the authentication is configured. 以下是身份验证的配置方式。
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false, // For multi tenant
ValidateIssuerSigningKey = false,
ValidateAudience = false // This is for testing
};
});
The same configurations works fine with Azure AD Access Token. 相同的配置适用于Azure AD Access Token。
1 个解决方案
解决方案1
2 已采纳 2019-04-02 08:05:48
We have an ASP.NET Core Web API that I want to secure with Microsoft Graph Access toke
No , i suggest register your web api as a resource which protected by Azure AD . 不,我建议将您的web api注册为受Azure AD保护的资源。
Microsoft Graph API token is used to access the Microsoft Graph , Microsoft Graph's server side will validate the claims/signature after receiving the JWT token . Microsoft Graph API令牌用于访问Microsoft Graph,Microsoft Graph的服务器端将在收到JWT令牌后验证声明/签名。 In addition , i remember Microsoft Graph API access tokens are signed different from the JWT tokens which issued from AAD . 此外,我记得Microsoft Graph API访问令牌的签名与AAD发布的JWT令牌不同。 So let Microsoft Graph API server side to validate the token and the token should not be used to protected other API . 因此,让Microsoft Graph API服务器端验证令牌,并且令牌不应该用于保护其他API。
Your client app could uses the OpenID Connect middleware and the Active Directory Authentication Library (ADAL.NET) to obtain a JWT bearer token for the signed-in user using the OAuth 2.0 protocol. 您的客户端应用程序可以使用OpenID Connect中间件和Active Directory身份验证库(ADAL.NET)来使用OAuth 2.0协议为登录用户获取JWT承载令牌。 The bearer token is passed to the web API, which validates the token and authorizes the user using the JWT bearer authentication middleware : 承载令牌被传递给Web API,Web API验证令牌并使用JWT承载认证中间件授权用户:
Calling a web API in an ASP.NET Core web application using Azure AD 使用Azure AD在ASP.NET Core Web应用程序中调用Web API
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.