[英]Karate API Test - Bearer error="invalid_token", error_description="The audience <number> is invalid"
Postman headers I'm using secret keys to generate an access token that I will use to authenticate for an API that I call. Postman 标头我正在使用密钥生成一个访问令牌,我将使用该令牌对我调用的 API 进行身份验证。 The issue is that I'm getting the error:
问题是我收到错误:
status code was: 401, expected: 200 WWW-Authenticate: Bearer error="invalid_token", error_description="The audience value
is invalid"状态代码为:401,预期:200 WWW-Authenticate: Bearer error="invalid_token", error_description="The audience
value
is invalid"
This is how I call the API这就是我如何调用 API
Given url `https://login.microsoftonline.com/tenant_id/oauth2/token`
And form field grant_type = `client_credentials`
And form field client_id = `value`
And form field client_secret = `value`
When method post
Then status 200
match response.access_token != null
def access_token = response.access_token
print access_token
Given header Authorization = 'Bearer ' + access_token
Given url 'url'
And header accept = `plain/text`
And header 'X-Mimic-User' = `confidential`
When method GET
Then status 200
I'm expecting to the authenticated to the API with the generated access token.我期待使用生成的访问令牌对 API 进行身份验证。
So it appears your error may be related to the Authorization
header, although the error description is hard to decipher, possibly scope related?所以看起来你的错误可能与
Authorization
header 有关,虽然错误描述很难破译,可能与 scope 有关? I would list the URL first, not the header, unless you are re-using it, and want to configure
the value for subsequent requests.我会首先列出 URL,而不是 header,除非您正在重新使用它,并希望为后续请求
configure
该值。 Another way of setting the Bearer token is:另一种设置 Bearer 令牌的方法是:
And match response.access_token == '#present'
* def oauthToken = `Bearer ${response.access_token}`
But really the most important thing is for you to check your request, including headers and compare it between Karate and Postman to see what is different.但真正最重要的是检查您的请求,包括标头,并将其与 Karate 和 Postman 进行比较,看看有什么不同。
From what I see in the error description, the first API call made towards your auth provider is returning a 200
with an access token.根据我在错误描述中看到的内容,对您的身份验证提供程序进行的第一个 API 调用返回一个带有访问令牌的
200
。 but the second call you are making to your application server seems to be failing to see the audience value in your access token.但是您对应用程序服务器进行的第二次调用似乎无法在您的访问令牌中看到受众价值。
I doubt you are using the same client credentials input ( client_id
, client_secret
) in your postman and karate setup.我怀疑您在 postman 和空手道设置中使用相同的客户端凭据输入(
client_id
, client_secret
)。 Make sure they are the same.确保它们相同。
I would also confirm if the access token received is having the aud
parameter by checking it in https://jwt.io or any other tool you trust to decode your access token JWT. for the sake of experimentation do the same for the access token you got from postman as well.我还将通过在https://jwt.io或您信任的任何其他工具中检查接收到的访问令牌来确认是否具有
aud
参数来解码访问令牌 JWT。为了进行实验,对访问令牌执行相同的操作你也是从 postman 得到的。
Ideally, these configurations are very internal to your application and identity team and may not be directly related to karate.理想情况下,这些配置对您的应用程序和身份团队来说非常内部,可能与空手道没有直接关系。 The other teams mentioned should be the ones best to guide you.
提到的其他团队应该是最能指导您的团队。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.