时间戳

首页 > 解决方案 > Azure Functions 身份验证中的访问令牌问题

azure - Azure Functions 身份验证中的访问令牌问题

问题描述

我按照链接在您的应用服务应用程序中启用 Azure Active Directory为我的 Azure Functions 设置 AAD 身份验证。为了调用 Azure Functions,我尝试使用作为第一种情况获得的令牌:Access token request with a shared secret,我收到错误状态 401“您无权查看此目录或页面”。此访问令牌来自 Uri https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token在测试中,我发现如果我从 Uri https://login.microsoftonline.com/{tenantId}/oauth2/token请求令牌,它就可以工作。这是为什么?

来自https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token的令牌解码如下。

{
  "typ": "JWT",
  "nonce": "klkSaiUS7yT5KMshYVJZAkyu5AuDV14yEQLEkxiz2o4",
  "alg": "RS256",
  "x5t": "huN95IvPfehq34GzBDZ1GXGirnM",
  "kid": "huN95IvPfehq34GzBDZ1GXGirnM"
}.{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/{tenantId}/",
  "iat": 1597615459,
  "nbf": 1597615459,
  "exp": 1597619359,
  "aio": "E2BgYOD6EGiutPFpxY67vVocPgv3AAA=",
  "app_displayname": "app Displayname",
  "appid": "{appId GUID}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenantId}/",
  "oid": "{GUID}",
  "roles": [
    "User.ReadWrite.All",
    "Group.ReadWrite.All",
    "User.Invite.All",
    "TeamMember.ReadWrite.All",
    "Team.ReadBasic.All",
    "GroupMember.ReadWrite.All"
  ],
  "sub": "{GUID}",
  "tenant_region_scope": "NA",
  "tid": "{tenantId}",
  "uti": "lA__6UDggU6QYEGdX0t_AA",
  "ver": "1.0",
  "xms_tcdt": 1590621751
}.[Signature]

来自https://login.microsoftonline.com/{tenantId}/oauth2/token的令牌解码如下。

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "huN95IvPfehq34GzBDZ1GXGirnM",
  "kid": "huN95IvPfehq34GzBDZ1GXGirnM"
}.{
  "aud": "00000002-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/{tenantId}/",
  "iat": 1597615470,
  "nbf": 1597615470,
  "exp": 1597619370,
  "aio": "E2BgYOAS8fUOUly15/PahOer9u1iBQA=",
  "appid": "{appId GUID}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenantId}/",
  "oid": "{GUID}",
  "sub": "{GUID}",
  "tenant_region_scope": "NA",
  "tid": "{tenantId}",
  "uti": "3wr4Ulqcs0ueW77ZacF4AA",
  "ver": "1.0"
}.[Signature]

我知道两个令牌具有不同的受众,并且已将两者都添加到 Azure Functions 的 AAD 身份验证中的“允许的令牌受众”中。

请帮助我理解这一点。非常感谢。

标签: azureoauth-2.0

解决方案

推荐阅读