[英]JWT Validation Failing in Azure APIM
我正在嘗試配置 React SPA 以連接到 Azure API。 無論我嘗試什么,JWT 驗證都失敗了。 我已經在這里待了 3 天,此時我確信我忽略了一些簡單/明顯的事情。 以下是詳細信息:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid">
<openid-config url="https://login.microsoftonline.com/tenantName.onmicrosoft.com/.well-known/openid-configuration" />
<required-claims>
<claim name="aud">
<value>guid-of-registered-API-app</value>
</claim>
</required-claims>
</validate-jwt>
我嘗試了各種其他配置:
[有關解碼的令牌信息,請參見下文]
已注冊應用程序公開: api://*guid-of-registered-API-app*/user_impersonation
(來自 JWT.io)
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/tenant-guid/",
"iat": 1626371934,
"nbf": 1626371934,
"exp": 1626375834,
"acct": 0,
"acr": "1",
"acrs": [
"urn:user:registersecurityinfo",
"urn:microsoft:req1",
"urn:microsoft:req2",
"urn:microsoft:req3",
"c1",
"c2",
"c3",
"c4",
"c5",
"c6",
"c7",
"c8",
"c9",
"c10",
"c11",
"c12",
"c13",
"c14",
"c15",
"c16",
"c17",
"c18",
"c19",
"c20",
"c21",
"c22",
"c23",
"c24",
"c25"
],
"aio": "ASQA2/8TAAAA8QnjnouL0YsWy8XPuXhel67vtgZgYV5CgGbbKZXPsy0=",
"amr": [
"pwd"
],
"app_displayname": "app-display-name",
"appid": " guid-of-registered-API-app",
"appidacr": "0",
"family_name": "SMith",
"given_name": "Joe",
"idtyp": "user",
"ipaddr": "xxx.x.x.x",
"name": "Joe Smith",
"oid": "xxxxxxxx-7bf2-4b4a-b029-2bb10eb41c5e",
"platf": "3",
"puid": "10032000792D2327",
"rh": "0.AXMA2BYRYPLYhkC01dWK00t0K2OSYmKM4etBkR1sRefhJxVzACg.",
"scp": "Directory.Read.All Group.Read.All GroupMember.Read.All User.Read User.Read.All profile openid email",
"sub": "YryKYUeWm04s9todeZ32A1-OWhXdLLyWxOgQI-wa6KQ",
"tenant_region_scope": "EU",
"tid": " tenant-guid",
"unique_name": "joe.smith@mytenant.onmicrosoft.com",
"upn": " joe.smith@mytenant.onmicrosoft.com",
"uti": "6mbN5WfQLUCL-LVno3cgAQ",
"ver": "1.0",
"wids": [
"62e90394-69f5-4237-9190-012177145e10",
"b79fbf4d-3ef9-4689-8143-76b194e85509"
],
"xms_st": {
"sub": "KdgX5DPaGQfoho9O2ohOa_L-ULeYEOnLlTyTX8rf0jE"
},
"xms_tcdt": 1471244337
}
您在令牌請求中請求多個資源的范圍,這是不允許的。 根據msal 示例文檔:
Access Token requests in MSAL.js are meant to be per-resource-per-scope(s). This means that an Access Token requested for resource A with scope scp1:
- cannot be used for accessing resource A with scope scp2, and,
- cannot be used for accessing resource B of any scope.
相反,在此示例中,僅請求暴露的 API scope、 api://*guid-of-registered-API-app*/user_impersonation
User.Read
和其他 MS 范圍如果您還需要使用 MS Graph,請僅為該資源請求令牌。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.