堆棧內存溢出
  簡體   English   中英

Azure AD 多租戶、.Net Core Web API 和 MSAL(Microsoft 身份驗證庫)

[英]Azure AD Multi Tenant ,.Net Core Web API with MSAL(Microsoft Authentication Libary)

 原文  2020-03-16 20:09:44       c#/ azure-active-directory/ asp.net-core-webapi/ msal/ asp.net-core-3.1

問題描述

我相信我有 Microsoft 身份驗證庫 (MSAL) JavaScript 拉回 JWT 令牌,使用具有以下配置的 azure AD 多租戶。 基於此鏈接https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant 我相信我只需要以下兩個值。

clientId: "A134d6c8-8078-2924-9e90-98cef862eb9a" // this would be the app registrations client id(application)
authority: "https://login.microsoftonline.com/common"

那么我如何配置一個 .net core 3 web api,它可以處理這個 JWT 令牌並通過我傳遞 Authorization: Bearer 標頭來驗證 [Authorize] 端點。

我目前在響應中收到此錯誤,這不是很有幫助!

AuthenticationFailed: IDX10511: Signature validation failed. Keys tried: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. 
kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. 
Exceptions caught:
 '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.

Startup.cs 代碼如下

using System.Text;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.IdentityModel.Tokens;

namespace MultiTenantApi
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {

            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddCors(x =>
            {
                x.AddDefaultPolicy(cfg =>
                {
                    cfg.AllowAnyOrigin()
                        .AllowAnyHeader()
                        .AllowAnyMethod();
                });
            });

            services.AddAuthentication(cfg =>
                {
                    cfg.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                    cfg.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                })
                .AddJwtBearer(opt =>
                {
                    opt.Authority = "https://login.microsoftonline.com/common";
                    opt.Audience = "api://A134d6c8-8078-2924-9e90-98cef862eb9a"; // Set this to the App ID URL for the web API, which you created when you registered the web API with Azure AD.
                    opt.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = false
                    };
                    opt.Events = new JwtBearerEvents()
                    {
                        OnAuthenticationFailed = AuthenticationFailed
                    };
                });

            services.AddControllers();

        }

        private Task AuthenticationFailed(AuthenticationFailedContext arg)
        {
            // For debugging purposes only!
            var s = $"AuthenticationFailed: {arg.Exception.Message}";
            arg.Response.ContentLength = s.Length;
            arg.Response.Body.WriteAsync(Encoding.UTF8.GetBytes(s), 0, s.Length);
            return Task.FromResult(0);
        }
        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseHttpsRedirection();

            app.UseStaticFiles(); // Added

            app.UseRouting();
            app.UseCors(); //Added

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });

        }

    }
}

1 個解決方案

解決方案1
 1 已采納  2020-03-17 06:36:27

在您的ConfigureServices方法中,添加IdentityModelEventSource.ShowPII = true; 顯示錯誤的詳細信息並查看問題。

參考:

  1. asp.net azure 活動目錄集成錯誤消息包含“[PII is hidden]”
  2. PII 是隱藏的錯誤 #51

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 帶有 JWT 令牌的 Azure AD 多租戶、.Net Core Web API .Net Core Azure AD單租戶認證 Azure Function App Web API 的 .Net Core MSAL 身份驗證 Azure 使用 .net 核心 3.1 中的 azure 活動目錄(單租戶)的廣告身份驗證和授權? 完全設置 .NET Core Web API 以使用 Z3A580F142203677F1F0BC30898F63F 認證 Always getting null value in User Details from Azure AD after authentication .NET Core (3.0) Web API 使用 Azure AD 驗證返回 401 多租戶Azure AD身份驗證權限錯誤 .Net Core 6.0 API - Azure AD 身份驗證錯誤 基於多租戶Asp.net核心網站中的參數的JWT身份驗證
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM