我正在通过阅读文章尝试通过OAuth2使用OAuth2保护APIM API:通过对Azure AD使用OAuth 2.0授权来保护Azure API管理中的Web API后端
AzureAPIM-OAuth2
AzureAD-后端应用程序:
AzureAD-客户端应用程序:
对于Demo Conference API,将“验证JWT”策略添加到入站处理中,其中入站3a0cf09b-
IDb7c31179-
为后端应用程序应用ID:
在开发人员门户中,使用返回令牌对AzureAD进行身份验证成功:
检查jwt.io中收到的令牌,我发现"aud": "00000003-0000-0000-c000-000000000000"
不是后端应用程序应用程序ID:
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/3a0cf09b-xxx/",
"app_displayname": "client-app",
"appid": "05a245fb-xxx",
"scp": "Files.Read User.Read profile openid email",
"tenant_region_scope": "OC",
"tid": "3a0cf09b-2952-4673-9ace-0e1bf69ee23a",
"unique_name": "[email protected]",
}
API测试HTTP响应跟踪显示validate-jwt上的错误:
validate-jwt (-0.138 ms)
{
"message": "JWT Validation Failed: Claim value mismatch: aud=b7c31179-xxx.."
}
更换aud
由值令牌00000003-0000-0000-c000-000000000000
或取出required-claims
的在validate-jwt
政策得到它的工作。
Any idea please?
It seems you choose v1 endpoint of OAuth2 authorization but not v2 endpoint, so the value of aud
in access token should be like b7c31179-xxxx....
but not api://b7c31179-xxxx....
. So there are no mistakes in your steps of get access token.
According to some test in my side, the cause of this problem is you did not specify a parameter resource
with the value of the backend-app application id when you configure OAuth2.0 in your APIM. The document you refer to also mentions this (I test with not specify this parameter, it shows same problem with yours)
So to solve this problem, please go to your APIM and click "OAuth 2.0" tab, edit the item you created. Add a parameter resource
with value of the backend-app application id.
注意:添加参数resource
并单击“保存”按钮时,请再次打开该项目,并检查“客户端密码”框是否为空。当我在一边测试时,“添加参数”框后的“客户端密码”框显示为空resource
,这可能是该页面上的错误。如果“客户密码”为空,则可能会显示错误消息,例如The request body must contain the following parameter: 'client_assertion' or 'client_secret'
在开发人员门户中获取访问令牌时。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句