[英]Cannot authenticate to custom API in Azure AD (JWT token issue)
I have a JWT token issue when trying to the use the AadHttpClientFactory within the SharePoint Framework (SPFx).尝试在 SharePoint 框架 (SPFx) 中使用 AadHttpClientFactory 时出现 JWT 令牌问题。 I have a custom AAD App registration that is setup to allow implicit grant flow.
我有一个自定义的 AAD 应用注册,该注册设置为允许隐式授权流。 I have another app service running a small .netcore API that requires authentication.
我有另一个运行需要身份验证的小型 .netcore API 的应用程序服务。 My API is not setup to authenticate the user, rather it validates the token coming from the Authorization header using the following Azure AD values.
我的 API 未设置为对用户进行身份验证,而是使用以下 Azure AD 值验证来自 Authorization 标头的令牌。
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "domain.onmicrosoft.com",
"TenantId": "09e6b9a6-59fc-419d-xxxx-xxxxxxxxxxxx",
"ClientId": "f46a1554-7fd9-4627-xxxx-xxxxxxxxxxxx",
"ClientSecret": "xxxx-xxxxxxxxxxxx",
"Issuer": "https://login.microsoftonline.com/09e6b9a6-59fc-419d-xxxx-xxxxxxxxxxxx/v2.0"
}
I have my SPFx service setup to fetch the client like this: this.aadHttpClientFactory.getClient("api://URI").我有我的 SPFx 服务设置来获取客户端,如下所示:this.aadHttpClientFactory.getClient("api://URI")。
It then calls my custom service, but no matter what I do I get a 401.然后它调用我的自定义服务,但无论我做什么,我都会收到 401。
If I use the following URL to fetch a token and use it to hit my service it works fine:如果我使用以下 URL 来获取令牌并使用它来访问我的服务,它可以正常工作:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&response_type=id_token&redirect_uri=https://localhost:5001&scope=openid&response_mode=fragment&state=12345&nonce=678910
So, I inspected both JWT tokens (one coming back from SPFX and one I generate using the URL above).因此,我检查了两个 JWT 令牌(一个是从 SPFX 返回的,另一个是我使用上面的 URL 生成的)。 They are vastly different.
它们有很大的不同。 The token I get back from SPFx has much more information in it and the Issuer is
https://sts.windows.net/<tenant-id>
but my API is looking for https://login.microsoftonline.com/<tenant-id>/v2.0
as the issuer.我从 SPFx 取回的令牌中包含更多信息,发行人是
https://sts.windows.net/<tenant-id>
但我的 API 正在寻找https://login.microsoftonline.com/<tenant-id>/v2.0
作为发行者。 I feel that the issuer is where it is failing but I have tried updating my API to use the issuer that is coming back from SPFx and it still doesn't work.我觉得发行者是失败的地方,但我尝试更新我的 API 以使用从 SPFx 返回的发行者,但它仍然无法正常工作。 Any ideas?
有任何想法吗?
Found this post that said the audience was invalid.发现这个帖子说观众无效。 I was able to find the same error inside my response.
我能够在我的回复中找到相同的错误。 I updated my client ID to match my api URI of api:// and it worked.
我更新了我的客户端 ID 以匹配我的 api URI api:// 并且它起作用了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.