问题描述
我已经创建了一个以工作或学校帐户"作为身份验证类型的ASP.Net Web API(.Net Framework)应用程序.这会自动在我的Azure订阅中注册此API应用程序,我可以在应用程序注册"下看到它一个>.我可以看到主页网址"指向本地主机地址.我可以看到API正在本地主机地址上启动.然后,我启动Fiddler以从Azure AD获取访问令牌.我对端点https://login.microsoftonline.com/<mytenant>.onmicrosoft.com/oauth2/token
的POST请求.具有以下4个参数
I have created a ASP.Net Web API (.Net Framework) app with "Work or School Accounts" as authentication type. This automatically registers this API app in my Azure subscription and I can see it under "App Registrations". I can see that Home Page Url is pointing to localhost address. I can see that API is launching locally on localhost address. I then launch Fiddler to get access token from Azure AD. My POST request to endpoint https://login.microsoftonline.com/<mytenant>.onmicrosoft.com/oauth2/token
. has following 4 parameters
grant_type=client_credentials
&client_id=<appid from Azure AD Portal>
&client_secret=<secret from Azure AD Portal>
&resource=<appid from Azure AD Portal>
我拿回了令牌.解码此令牌时,按预期方式看到了aud
和appid
(与Azure AD中的appid匹配).我将此令牌用作承载令牌,以通过将GET请求中的Authorization: Bearer <mytoken>
标头添加到https://localhost:44374/api/values
来调用API调用.但是,对我的API的GET调用返回了我{"Message":"Authorization has been denied for this request."}
错误消息.
I get a token back. When I decode this token, I see aud
and appid
as expected(matching appid in Azure AD). I use this token as bearer token to invoke API call by adding Authorization: Bearer <mytoken>
header in GET request to https://localhost:44374/api/values
. However, this GET call to my API is returning me {"Message":"Authorization has been denied for this request."}
error message.
我想念什么?
推荐答案
获取令牌时,应使用App ID URI
作为resource
值,您可以在Azure门户的api应用程序的Properties
中找到App ID URI
,例如 https://xxxxx.onmicrosoft.com/WebApplicationName . Web api将检查访问令牌中的aud
声明是否与您在web.config中设置的声明相符:
You should use App ID URI
as the resource
value when acquiring token , you could find the App ID URI
in Properties
of api app in azure portal ,like https://xxxxx.onmicrosoft.com/WebApplicationName . Web api will check whether the aud
claim in access token matches the one you set in web.config :
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters {
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
},
});
web.config中的
ida:Audience
值是允许的受众.
ida:Audience
value in web.config is the allowed audience .
这篇关于在Fiddler中使用Azure AD拒绝了此请求的获得授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!