时间戳

首页 > 解决方案 > 使用带有 Azure AD 的 ASP.NET Core MVC 对 ASP.NET Core WebAPI 进行身份验证

c# - 使用带有 Azure AD 的 ASP.NET Core MVC 对 ASP.NET Core WebAPI 进行身份验证

问题描述

我有两个 Web 应用程序:一个ASP.NET Core MVC 网站和一个ASP.NET Core Web API(使用 ASP.NET Core 2.1)。

我使用 Azure AD 对网站中的用户进行身份验证。当我将 access_token 从网站传递到 API 时(使用带有“Bearer access_token”的授权标头);我有这个错误:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503:签名验证失败。尝试的键:'Microsoft.IdentityModel.Tokens.X509SecurityKey,KeyId:...'。

我不明白为什么。

这是网站的配置:

services.AddAuthentication(o =>
{
    o.DefaultChallengeScheme = "aad";
    o.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, o =>
{
    o.Authority = azureAdsettings.Authority;
    o.Audience = azureAdsettings.ClientId;
})
.AddCookie()
.AddOpenIdConnect("aad", o =>
{
    o.Authority = azureAdsettings.Authority;
    o.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
    o.ClientId = azureAdsettings.ClientId;
    o.ClientSecret = azureAdsettings.ClientSecret;
    o.ResponseType = OpenIdConnectResponseType.CodeIdToken;
    o.SaveTokens = true;
    o.TokenValidationParameters = new TokenValidationParameters
    {
        ValidIssuer = azureAdsettings.Authority
    };
    o.Events = new OpenIdConnectEvents
    {
        OnTicketReceived = ctx =>
        {
            return Task.CompletedTask;
        },
        OnAuthorizationCodeReceived = async ctx =>
        {
            TokenProvider tokenProvider = (TokenProvider)ctx.HttpContext.RequestServices.GetRequiredService<ITokenProvider>();
            await tokenProvider.AcquireTokenByAuthorizationCodeAsync(ctx);
        },
        OnAuthenticationFailed = context =>
        {
            context.Response.Redirect("/Error");
            context.HandleResponse(); // Suppress the exception
            return Task.CompletedTask;
        },
    };
});

这是 API 的配置:

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
    options.Authority = this.Configuration["AzureAd:Authority"];
    options.Audience = this.Configuration["AzureAd:ClientId"];
    options.TokenValidationParameters.ValidateIssuer = true;
    options.TokenValidationParameters.IssuerValidator = ValidateIssuer;
});

azureAdsettings对象在两个 appsettings.json 中完全相同

网站上的身份验证似乎运行良好。我可以获得授权码并检索访问令牌。

标签: c#asp.net-mvcazureasp.net-coreazure-active-directory

解决方案

推荐阅读