问题描述

我已经创建了一个以工作或学校帐户"作为身份验证类型的ASP.Net Web API(.Net Framework)应用程序.这会自动在我的Azure订阅中注册此API应用程序，我可以在应用程序注册"下看到它一个>.我可以看到主页网址"指向本地主机地址.我可以看到API正在本地主机地址上启动.然后，我启动Fiddler以从Azure AD获取访问令牌.我对端点https://login.microsoftonline.com/<mytenant>.onmicrosoft.com/oauth2/token的POST请求.具有以下4个参数

I have created a ASP.Net Web API (.Net Framework) app with "Work or School Accounts" as authentication type. This automatically registers this API app in my Azure subscription and I can see it under "App Registrations". I can see that Home Page Url is pointing to localhost address. I can see that API is launching locally on localhost address. I then launch Fiddler to get access token from Azure AD. My POST request to endpoint https://login.microsoftonline.com/<mytenant>.onmicrosoft.com/oauth2/token. has following 4 parameters

grant_type=client_credentials
&client_id=<appid from Azure AD Portal>
&client_secret=<secret from Azure AD Portal>
&resource=<appid from Azure AD Portal>

我拿回了令牌.解码此令牌时，按预期方式看到了aud和appid(与Azure AD中的appid匹配).我将此令牌用作承载令牌，以通过将GET请求中的Authorization: Bearer <mytoken>标头添加到https://localhost:44374/api/values来调用API调用.但是，对我的API的GET调用返回了我{"Message":"Authorization has been denied for this request."}错误消息.

I get a token back. When I decode this token, I see aud and appid as expected(matching appid in Azure AD). I use this token as bearer token to invoke API call by adding Authorization: Bearer <mytoken> header in GET request to https://localhost:44374/api/values. However, this GET call to my API is returning me {"Message":"Authorization has been denied for this request."} error message.

我想念什么?

推荐答案

获取令牌时，应使用App ID URI作为resource值，您可以在Azure门户的api应用程序的Properties中找到App ID URI ，例如 https://xxxxx.onmicrosoft.com/WebApplicationName . Web api将检查访问令牌中的aud声明是否与您在web.config中设置的声明相符:

You should use App ID URI as the resource value when acquiring token , you could find the App ID URI in Properties of api app in azure portal ,like https://xxxxx.onmicrosoft.com/WebApplicationName . Web api will check whether the aud claim in access token matches the one you set in web.config :

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                    TokenValidationParameters = new TokenValidationParameters {
                         ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
                    },
                });

web.config中的

ida:Audience值是允许的受众.

ida:Audience value in web.config is the allowed audience .

这篇关于在Fiddler中使用Azure AD拒绝了此请求的获得授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！