问题
I have an API app secured with Azure AD (AAD). I also have an AAD application for a consuming application, and in the consuming application I have set up permissions to access the API app.
I am able to get a token, but when I go to use the token, the API app doesn't seem to look at the Authorization header. It tries to log me in via web browser.
My request looks like this:
GET /api/ticketing/issueTopics HTTP/1.1
Host: <removed>
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGc<rest is removed>
Cache-Control: no-cache
This is what my Fiddler looks like.
The result I get in Postman is some MS redirect page:
<html>
<head>
<title>Working...</title>
</head>
<body>
<form method="POST" name="hiddenform" action="<removed>/.auth/login/aad/callback">
<input type="hidden" name="id_token" value="<bearer token removed>" />
<input type="hidden" name="state" value="/api/ticketing/issueTopics" />
<input type="hidden" name="session_state" value="<removed>" />
<noscript>
<p>Script is disabled. Click Submit to continue.</p>
<input type="submit" value="Submit" />
</noscript>
</form>
<script language="javascript">document.forms[0].submit();</script>
</body>
The bearer token I removed, when deserialized, has my information in it, not my consuming application. So, it's trying to authenticate me, rather than using the bearer token to authenticate.
Any ideas how to fix this?
Update 1
By means of update, I pulled down the servicePrincipal data related to my consuming application, and it clearly says the consuming app should be able to talk to the API app.
"oauth2Permissions": [{
"adminConsentDescription": "Allow the application to access Ticketing API on behalf of the signed-in user.",
"adminConsentDisplayName": "Access Ticketing API",
"id": "<removed>",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access Ticketing API on your behalf.",
"userConsentDisplayName": "Access Ticketing API",
"value": "user_impersonation"
}]
Update 2
I made a console app to try it that way. I got a 401 (Unauthorized).
An interesting observation is that if I go to jwt.io and paste my token in, it is able to deserialize it, but it also says the token is invalid (Invalid Signature). Not sure what that implies.
回答1:
I figured out the issue after figuring out how to turn on detailed logging and pouring through them.
Documentation on MSDN says to pass "resource" as the App ID Uri. But you actually need to pass the Client ID as the value for "resource." Once I changed that, everything worked perfectly.
I found this in a txt file in LogFiles\Application.
2016-07-12T15:48:39 PID[8584] Warning JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://<removed>.azurewebsites.net'. Did not match: validationParameters.ValidAudience: '0b61abb8-59...7-6046c22f9c92' or validationParameters.ValidAudiences: 'null'.
Incorrect documentation I was looking at:
https://msdn.microsoft.com/en-us/library/partnercenter/dn974935.aspx https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx (this was the biggest offender as it does exactly what I want to do with incorrect information)
回答2:
Are you using "UseWindowsAzureActiveDirectoryBearerAuthentication"? In the Web API you should use it, add it in the Startup Config. As following:
app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Audience = ConfigurationManager.AppSettings["ida:Audience"], Tenant = ConfigurationManager.AppSettings["ida:Tenant"], });
Hope this works for you, Regards!
来源:https://stackoverflow.com/questions/38332313/unable-to-use-bearer-token-to-access-aad-secure-web-api