JWT 驗證在 Azure APIM 中失敗

Question

我正在嘗試配置 React SPA 以連接到 Azure API。 無論我嘗試什么，JWT 驗證都失敗了。 我已經在這里待了 3 天，此時我確信我忽略了一些簡單/明顯的事情。 以下是詳細信息：

• 我們有兩個應用程序：
  • 前端（反應）
  • API（Azure API 管理）
• Azure 應用程序網關位於 APIM 前面，但它所做的只是路由流量（APIM 不能從公共 Internet 獲得）
• 我已經確認正在提交不記名令牌：
• 正在請求正確的權限范圍：

API 策略 – 所有操作：

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid">
    <openid-config url="https://login.microsoftonline.com/tenantName.onmicrosoft.com/.well-known/openid-configuration" />
    <required-claims>
        <claim name="aud">
            <value>guid-of-registered-API-app</value>
        </claim>
    </required-claims>
</validate-jwt>

我嘗試了各種其他配置：

• 聲明名稱： iss聲明值： https://sts.windows.net/*tenant-guid*/
• 聲明名稱： appId聲明值： api:// guid-of-registered-API-app
• 聲明名稱： aud聲明值： aud -value-of-token-from-jwt.io
• 還有2-3個我不記得細節了

[有關解碼的令牌信息，請參見下文]

權限范圍

已注冊應用程序公開： api://*guid-of-registered-API-app*/user_impersonation

API 注冊應用的權限

注冊應用認證

解碼 JWT 令牌

（來自 JWT.io）

{
  "aud": "00000003-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/tenant-guid/",
  "iat": 1626371934,
  "nbf": 1626371934,
  "exp": 1626375834,
  "acct": 0,
  "acr": "1",
  "acrs": [
    "urn:user:registersecurityinfo",
    "urn:microsoft:req1",
    "urn:microsoft:req2",
    "urn:microsoft:req3",
    "c1",
    "c2",
    "c3",
    "c4",
    "c5",
    "c6",
    "c7",
    "c8",
    "c9",
    "c10",
    "c11",
    "c12",
    "c13",
    "c14",
    "c15",
    "c16",
    "c17",
    "c18",
    "c19",
    "c20",
    "c21",
    "c22",
    "c23",
    "c24",
    "c25"
  ],
  "aio": "ASQA2/8TAAAA8QnjnouL0YsWy8XPuXhel67vtgZgYV5CgGbbKZXPsy0=",
  "amr": [
    "pwd"
  ],
  "app_displayname": "app-display-name",
  "appid": " guid-of-registered-API-app",
  "appidacr": "0",
  "family_name": "SMith",
  "given_name": "Joe",
  "idtyp": "user",
  "ipaddr": "xxx.x.x.x",
  "name": "Joe Smith",
  "oid": "xxxxxxxx-7bf2-4b4a-b029-2bb10eb41c5e",
  "platf": "3",
  "puid": "10032000792D2327",
  "rh": "0.AXMA2BYRYPLYhkC01dWK00t0K2OSYmKM4etBkR1sRefhJxVzACg.",
  "scp": "Directory.Read.All Group.Read.All GroupMember.Read.All User.Read User.Read.All profile openid email",
  "sub": "YryKYUeWm04s9todeZ32A1-OWhXdLLyWxOgQI-wa6KQ",
  "tenant_region_scope": "EU",
  "tid": " tenant-guid",
  "unique_name": "joe.smith@mytenant.onmicrosoft.com",
  "upn": " joe.smith@mytenant.onmicrosoft.com",
  "uti": "6mbN5WfQLUCL-LVno3cgAQ",
  "ver": "1.0",
  "wids": [
    "62e90394-69f5-4237-9190-012177145e10",
    "b79fbf4d-3ef9-4689-8143-76b194e85509"
  ],
  "xms_st": {
    "sub": "KdgX5DPaGQfoho9O2ohOa_L-ULeYEOnLlTyTX8rf0jE"
  },
  "xms_tcdt": 1471244337
}

Answer 1

您在令牌請求中請求多個資源的范圍，這是不允許的。 根據msal 示例文檔：

Access Token requests in MSAL.js are meant to be per-resource-per-scope(s). This means that an Access Token requested for resource A with scope scp1:

- cannot be used for accessing resource A with scope scp2, and,
- cannot be used for accessing resource B of any scope.

相反，在此示例中，僅請求暴露的 API scope、 api://*guid-of-registered-API-app*/user_impersonation User.Read和其他 MS 范圍如果您還需要使用 MS Graph，請僅為該資源請求令牌。