c# - IDW10201:在不记名令牌中找不到范围或角色声明。自定义 web api 核心
问题描述
我有一个这样的应用注册:
在我的 webappi 我的应用程序 settings.json: 我有这个:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "xx.com.co",
"TenantId": "xx-c220-48a2-a73f-1177fa2c098e",
"ClientId": "xx-3737-48a5-a6c0-7e3bc4f9a5c9",
"CallbackPath": "/signin-oidc",
"Scopes" : "userimpersonation"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
在我的 Startup.cs 中:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));
在我的控制器中:
[Authorize]
[RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
[ApiController]
[Route("api/[controller]")]
public class WeatherForecastController : ControllerBase
{
因此,我运行网络应用程序,并通过邮递员获得令牌:
curl --location --request POST 'https://login.microsoftonline.com/xx-c220-48a2-a73f-1177fa2c098e/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: wlidperf=FR=L&ST=1526512036088; fpc=AnqPVmkUS_BIgf3y-QfBcFEzTZcDBQAAAKAv0dcOAAAA; stsservicecookie=ests; x-ms-gateway-slice=prod' \
--form 'grant_type="client_credentials"' \
--form 'client_secret="xx"' \
--form 'client_id="xx-3737-48a5-a6c0-7e3bc4f9a5c9
"' \
--form 'scope="api://xx-3737-48a5-a6c0-7e3bc4f9a5c9/.default
"'
这很好用,但是如果我将范围更改为:api://xx-3737-48a5-a6c0-7e3bc4f9a5c9/userimpersonation。
然后我得到这个错误:
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid
如果我使用默认范围提供的令牌,当我调用我的控制器时,我会收到以下错误:
System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
at Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilderExtensions.<>c__DisplayClass3_1.<<AddMicrosoftIdentityWebApiImplementation>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
解决方案
推荐阅读
- autodesk-forge - Autodesk Forge TokenFlex API 的脚本验证
- react-native - 有没有办法使用 for 循环映射对象数组?
- powershell - 有没有办法循环脚本,以便每次通过时使用不同的值
- java - 如何使用spring boot压缩下载的文件
- angular - 如何仅从 Angular Universal 的服务器端执行一些 http 请求
- c++ - Qt 3D:如何在每个面上绘制具有不同纹理的立方体?
- jenkins - 无法访问脚本化管道中的参数
- c++ - 无法删除类指针
- python - 如何使用 pytorch 获取 jacobian 以获得多元正态分布的对数概率
- javascript - 谷歌脚本变量未定义