0

我正在尝试在我的 .net core 2.2 中间件中验证从库 react-aad-msal 获得的 Azure 广告令牌。令牌似乎是有效的,但我从后端收到此错误

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

这是我的中间件

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(x =>
             {
                 x.RequireHttpsMetadata = false;
                 x.SaveToken = true;
                 x.TokenValidationParameters = new TokenValidationParameters
                 {
                     ValidateIssuerSigningKey = true,
                     IssuerSigningKey = new SymmetricSecurityKey(key),
                     ValidateIssuer = false,
                     ValidateAudience = false,
                     ValidIssuer = appSettings.Issuer,
                     ValidAudience = appSettings.Audience
                 };
             })
            .AddJwtBearer("AzureAd", opt =>
             {
                 //opt.Authority = "https://login.microsoftonline.com/organizations";
                 opt.Authority = "https://login.microsoftonline.com/organizations";
                 opt.Audience = "api://xxxxxxxxxxxxxxxxxxxxxxxx"; // Set this to the App ID URL for the web API, which you created when you registered the web API with Azure AD.
URL for the web API, which you created when you registered the web API with Azure AD.
                 opt.TokenValidationParameters = new TokenValidationParameters
                 {
                     ValidateIssuer = true,
                     ValidateAudience = true,
                     ValidAudiences = new List<string>{
                    // you could add a list of valid audiences
                    "yyyyyyyyyyyyyyyyyy"
                    },
                     ValidIssuers = new List<string>
                     {
                        // Add tenant id after https://sts.windows.net/
                        //"https://sts.windows.net/{YourTenantId}" //Questa è per la versione 1 del token
                        "https://login.microsoftonline.com/xxxxxxxxxxxxx"
                     }
                 };
                 opt.Events = new JwtBearerEvents()
                 {
                     OnAuthenticationFailed = AuthenticationFailed
                 };
             });
            services.AddAuthorization(options =>
            {
                var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
                    JwtBearerDefaults.AuthenticationScheme,
                    "AzureAd");
                defaultAuthorizationPolicyBuilder =
                    defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
                options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
            });

令牌已从 azure ad 正确发出,因为如果我在 reactjs 文件中解码该令牌,似乎具有正确的信息。但是,当我尝试使用 [Authorize] 属性访问受保护的 WEB API 时,会出现错误。谢谢您的帮助!

4

1 回答 1

1

代替

opt.Authority = "https://login.microsoftonline.com/organizations";

opt.Authority = "https://login.microsoftonline.com/{tenant id or name}";
于 2020-05-09T03:06:45.377 回答