[英]Blazor Client/Server AAD Authentication issue after publish
I have a Blazor application with Client/Server/Shared projects.我有一个带有客户端/服务器/共享项目的 Blazor 应用程序。 On creating locally used Azure Active Directory to connect our O365 accounts for logging in/authentication.
在创建本地使用的 Azure Active Directory 以连接我们的 O365 帐户以进行登录/身份验证。
Used the default code provided when selecting to use these accounts during the new project setup in Visual Studio, added the relevant App Registrations, redirect URIs, API Access permissions and updated projects with relevant Tenant/Client Ids etc. On debugging locally, all the authentication both on client and server works as expected.使用在 Visual Studio 中设置新项目期间选择使用这些帐户时提供的默认代码,添加相关的应用程序注册、重定向 URI、API 访问权限并更新具有相关租户/客户端 ID 的项目等。在本地调试时,所有身份验证在客户端和服务器上都按预期工作。
However, when publishing the project to a server for live test, whilst the client side correctly logs and displays the authenticated user, any calls to Server Web API controllers now fail where the [Authorize] is used with the message:但是,当将项目发布到服务器进行实时测试时,当客户端正确记录并显示经过身份验证的用户时,对服务器 Web API 控制器的任何调用现在都会失败,其中 [Authorize] 与消息一起使用:
Bearer error="invalid_token", error_description="The audience 'api://xxxetc' is invalid"
I have checked the token both local and live and issuer, audience etc is all the same.我已经检查了本地和现场的令牌,发行者、观众等都是一样的。 The manifest for the server app registration does not state accessTokenAcceptedVersion, and I have tried both adding and removing api:// from appsettings and other places as a test but with no luck.
服务器应用程序注册的清单不是 state accessTokenAcceptedVersion,我已经尝试从 appsettings 和其他地方添加和删除 api:// 作为测试,但没有运气。
I am unusure at this point what else I can check or where to go so any help is much appreciated.在这一点上,我不确定我还能检查什么或 go 的位置,因此非常感谢任何帮助。 I have supplied examples of all code/settings used below but removed the actual values.
我提供了下面使用的所有代码/设置的示例,但删除了实际值。
Client AppSettings:客户端应用设置:
"AzureAd": {
"Authority": "https://login.microsoftonline.com/xxxxx",
"ClientId": "971f156e-xxxetc",
"ValidateAuthority": true
} }
Client Program.cs (Relevant parts only): Client Program.cs (仅相关部分):
builder.Services.AddHttpClient("ProjectName.ServerAPI", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
.AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("ProjectName.ServerAPI"));
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.LoginMode = "Redirect";
options.ProviderOptions.DefaultAccessTokenScopes.Add("api://4f7ef7bbxxxetc/API.Access");
});
Server AppSettings:服务器应用设置:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "companyname.com",
"TenantId": "273a37a4-etc",
"ClientId": "4f7ef7bb-etc",
"Scopes": "API.Access",
"CallbackPath": "/signin-oidc"
} }
Server Program.cs (Relevant part only) Server Program.cs (仅相关部分)
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
The Server app registration client ID/App id is indeed the correct api://4fetc. Server app注册客户端ID/App id确实是正确的api://4fec。 All other IDs appear to match as required and API Permissions given to both using same scope so should all be correct as per local version working.
所有其他 ID 似乎都根据需要匹配,并且 API 使用相同的 scope 授予两者的权限,因此根据本地版本的工作应该都是正确的。
To resolve the error, please try including audience
parameter in App settings like below:要解决此错误,请尝试在应用设置中包含
audience
参数,如下所示:
"audience":"api://{clientId}"
Make sure to grant Api permissions for the scope like below:确保为 scope 授予Api 权限,如下所示:
Go to Azure Portal -> Azure Active Directory -> App registrations -> Api permissions -> Add permissions -> My APIs Go to Azure Portal -> Azure Active Directory -> App registrations -> Api permissions -> Add permissions -> My APIs
Based on the type of token endpoint you are using, try to add accessTokenAcceptedVersion
in the Manifest accordingly as mentioned in this MsDoc .根据您使用的令牌端点的类型,尝试在 Manifest 中相应地添加
accessTokenAcceptedVersion
,如本MsDoc中所述。
After generating the token, try decoding it via JSON Web Tokens - jwt.io and verify the aud
and scp
claims. After generating the token, try decoding it via JSON Web Tokens - jwt.io and verify the
aud
and scp
claims.
References:参考:
c# - .net core 3.1 Bearer error="invalid_token", error_description="The audience 'empty' is invalid" - Stack Overflow c# - .net 核心 3.1 承载错误 =“invalid_token”,error_description =“观众'空'无效” - VoidCC
accessTokenAcceptedVersion default behaviour is not correct · Issue #19304 · MicrosoftDocs/azure-docs · GitHub accessTokenAcceptedVersion 默认行为不正确 · 问题 #19304 · MicrosoftDocs/azure-docs · GitHub
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.