c# - IDW10201：在不记名令牌中找不到范围或角色声明。自定义 web api 核心

问题描述

我有一个这样的应用注册：

在我的 webappi 我的应用程序 settings.json: 我有这个：

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "xx.com.co",
    "TenantId": "xx-c220-48a2-a73f-1177fa2c098e",
    "ClientId": "xx-3737-48a5-a6c0-7e3bc4f9a5c9",
    "CallbackPath": "/signin-oidc",
    "Scopes" : "userimpersonation"

  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "AllowedHosts": "*"
}

在我的 Startup.cs 中：

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));

在我的控制器中：

[Authorize]
    [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
    [ApiController]
    [Route("api/[controller]")]
    public class WeatherForecastController : ControllerBase
    {

因此，我运行网络应用程序，并通过邮递员获得令牌：

curl --location --request POST 'https://login.microsoftonline.com/xx-c220-48a2-a73f-1177fa2c098e/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: wlidperf=FR=L&ST=1526512036088; fpc=AnqPVmkUS_BIgf3y-QfBcFEzTZcDBQAAAKAv0dcOAAAA; stsservicecookie=ests; x-ms-gateway-slice=prod' \
--form 'grant_type="client_credentials"' \
--form 'client_secret="xx"' \
--form 'client_id="xx-3737-48a5-a6c0-7e3bc4f9a5c9
"' \
--form 'scope="api://xx-3737-48a5-a6c0-7e3bc4f9a5c9/.default
"'

这很好用，但是如果我将范围更改为：api://xx-3737-48a5-a6c0-7e3bc4f9a5c9/userimpersonation。

然后我得到这个错误：

AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid

如果我使用默认范围提供的令牌，当我调用我的控制器时，我会收到以下错误：

System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token. 
   at Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilderExtensions.<>c__DisplayClass3_1.<<AddMicrosoftIdentityWebApiImplementation>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

标签： c#asp.net-coreasp.net-web-apiazure-active-directorymsal