azure - Azure 应用服务身份验证/授权返回 HTTP 401 IDX10205:颁发者验证失败
问题描述
我在调用我的 Azure Web 应用服务应用程序 (REST API) 时遇到问题,该应用程序使用应用服务级别的内置身份验证/授权进行保护。
语境:
- 部署在 Azure Web App Service 中的 rest API;
- 使用 Azure Web App Service 内置的身份验证/授权功能保护应用程序;
- 本地脚本对其进行身份验证
目标应用程序是一个简单的 Spring Boot 应用程序,其端点/test返回Test OK. 不处理应用程序本身的安全性,目标是测试它是否可以在“基础设施”方面处理,这意味着无需开发服务。
它是这样配置的:
应用程序注册是按照本指南完成的。
作为客户端,我使用的是 Microsoft在此处提供的示例,但请求是针对目标应用程序而不是 Microsoft Graph 完成的。
为此,使用以下配置文件:
{
"authority": "https://login.microsoftonline.com/<my_tenant_id>",
"client_id": "<my_client_id>",
"scope": ["<API URI ( in form of api://GUID)>/.default"],
"secret": "<my_client_secret>",
"endpoint": "target_application_endpoint"
}
当我运行它时,我得到HTTP 401以下 json 响应体:
{
"code": 401,
"message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'."
}
adal我还使用了与以前的库(
这表明令牌的发行者不一样,但是当我在 Kudu 中访问我的应用程序设置时,我有以下内容:
{
"deployment_branch": "master",
"SCM_TRACE_LEVEL": "Verbose",
"SCM_COMMAND_IDLE_TIMEOUT": "60",
"SCM_LOGSTREAM_TIMEOUT": "7200",
"SCM_BUILD_ARGS": "",
"WEBSITE_AUTH_MSA_SCOPE": "",
"ScmType": "VSTSRM",
"WEBSITE_AUTH_UNAUTHENTICATED_ACTION": "RedirectToLoginPage",
"WEBSITE_AUTH_AUTO_AAD": "False",
"WEBSITE_AUTH_OPENID_ISSUER": "https://login.microsoftonline.com/<my_tenant_id>/",
"WEBSITE_AUTH_LOGOUT_PATH": "/.auth/logout",
"WEBSITE_AUTH_RUNTIME_VERSION": "~1",
"WEBSITE_SITE_NAME": "<my_app_service_name>",
"WEBSITE_AUTH_FB_SCOPE": "",
"WEBSITE_AUTH_TOKEN_STORE": "False",
"WEBSITE_AZMON_ENABLED": "True",
"WEBSITE_AUTH_ENABLED": "True",
"FUNCTIONS_RUNTIME_SCALE_MONITORING_ENABLED": "0",
"WEBSITE_AUTH_ALLOWED_AUDIENCES": "<my_client_app_id_in_app_registrations>",
"WEBSITE_HTTPLOGGING_RETENTION_DAYS": "15",
"REMOTEDEBUGGINGVERSION": "16.0.28729.10",
"SCM_USE_LIBGIT2SHARP_REPOSITORY": "0",
"WEBSITE_AUTH_CLIENT_ID": "<my_target_app_id_in_app_registrations>",
"WEBSITE_AUTH_DEFAULT_PROVIDER": "AzureActiveDirectory"
}
有关此问题的任何提示或有关配置错误的提示?
编辑:添加应用程序注册清单
目标应用清单
{
"id": "<target_app_registration_id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": "2",
"addIns": [],
"allowPublicClient": false,
"appId": "<target_app_id>",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Accesses the TodoListService-Cert as an application.",
"displayName": "access_as_application",
"id": "<app_role_unique_ID>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "access_as_application"
}
],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-06-02T13:23:22Z",
"groupMembershipClaims": null,
"identifierUris": [
"api://<target_app_id>"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "Rule Engine",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [
{
"adminConsentDescription": "Test service",
"adminConsentDisplayName": "Test service",
"id": "<exposed_api_id_1>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": null,
"userConsentDisplayName": null,
"value": "service"
},
{
"adminConsentDescription": "Test",
"adminConsentDisplayName": "Test",
"id": "<exposed_api_id_2>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": null,
"userConsentDisplayName": null,
"value": "Test.Test"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [
{
"appId": "<client_app_id>",
"permissionIds": [
"<exposed_api_id_2>",
"<exposed_api_id_1>"
]
}
],
"publisherDomain": "<tenant_name>",
"replyUrlsWithType": [
{
"url": "<app_url>",
"type": "Web"
}
],
"requiredResourceAccess": [
{
// Default accesses and also the User.AccessAll mentioned for the Graph API as in the docs
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "0e263e50-5827-48a4-b97c-d940288653c7",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [
"webApi",
"notApiConsumer"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}
客户端应用清单:
{
"id": "<client_app_registration_id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": "2",
"addIns": [],
"allowPublicClient": null,
"appId": "<client_app_id>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-06-02T12:02:17Z",
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "daemon_rest_client",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [],
"accessToken": [],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-30T23:00:00Z",
"keyId": "<client_secret_id>",
"startDate": "2020-06-02T12:06:51.305Z",
"value": null,
"createdOn": "2020-06-02T12:06:54.1593511Z",
"hint": "0CA",
"displayName": "test_rest_call"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "<tenant_name>",
"replyUrlsWithType": [],
"requiredResourceAccess": [
{
"resourceAppId": "<target_app_id>",
"resourceAccess": [
{
"id": "<exposed_api_id_2>",
"type": "Scope"
},
{
"id": "<exposed_api_id_2>",
"type": "Scope"
},
{
"id": "<app_role_unique_ID>",
"type": "Role"
}
]
},
{
// Default accesses and also the User.AccessAll mentioned for the Graph API as in the docs
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "0e263e50-5827-48a4-b97c-d940288653c7",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [
"apiConsumer",
"backgroundProcess"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}
为合规而省略的资源的 GUID。
解决方案
我正在尝试不同的方案来尝试重现您的问题,但遇到了很多麻烦,因为我使用 Web 应用程序中的身份验证来自动创建应用程序注册。然后我随机改变变量试图让它失败。我让它失败的唯一方法是rohit在我认为的正确轨道上,Accesstokenacceptedversion,当我将它设置为2时它一直失败。尝试将其设置为空,
推荐阅读
- flutter - 不存在 Java 运行时,请求安装:Mac OS、Flutter
- javascript - 从内容上方的重叠区域中删除三角形的阴影?
- swift - 是否可以在 Swift 中为 UITextField 使用不同的 UIMenuController 实例?
- mysql - 在 MY SQL 中交叉应用
- xaml - NavigationView.Content 中不需要的边距
- android - 无法安装 Android SDK 平台
- xamarin - 我应该将 MessageCenter 的订阅放在我的 Xamarin.Forms 应用程序中的什么位置?
- javascript - 403(未启用 CORS 或未找到此请求的匹配规则。)[VueJs]
- python - Matplotlib/Pandas 线图连接不正确
- swift - 在创建用户之前检查 Firebase 错误以及 textFields 是否为空