代表令牌问题（AADSTS50013：Assertion包含无效签名）

当我尝试使用Cortana Bot用户令牌（这是一个Graph令牌）来使用ClientAssertionCertificate / ClientCredential为另一个消费Web API应用程序生成“代表”令牌时，我收到错误（如下所述）通过将其AppId作为使用Cortana Bot用户令牌生成的ResourceId和userAssertion传递给另一个消费Web API。

当检查我们的Bot AAD设置时，它与其他消费Web API（API B）一起配置为有效的应用程序以及Graph应用程序。我们是否需要在AAD中进行任何其他设置才能获得代表令牌？

AADSTS50013: Assertion contains an invalid signature. 
[Reason - The provided signature value did not match the expected signature value., 
    Thumbprint of key used by client: '9DB0B05B5D70DD7901FB151A5F029148B8CC1C64', 
    Found key 'Start=11/11/2018 00:00:00, 
    End=11/11/2020 00:00:00'
]
Trace ID: a440869f-b8f5-4d87-ba1a-6bd8dd7ba200
Correlation ID: 651e1fa8-2069-4489-a687-e68e5206e193
Timestamp: 2019-01-02 07:14:45Z

以下是我们尝试为其他消费Web API（API B）获取代表令牌的流程和示例代码。

流程步骤：

1. Cortana要求用户登录
2. 用户登录Cortana
3. Cortana将此用户令牌（生成目标以使用https://graph.microsoft.com作为受众）发送到Microsoft Bot Framework API
4. Microsoft Bot Framework API验证并希望使用此令牌来调用其他Web API（称为API B）。
5. 由于无法直接使用此Cortana用户令牌，因此需要将其作为Microsoft Bot Framework API的API B的代表令牌生成。
6. 以下是用于从Microsoft Bot Framework API生成代表令牌的代码示例： public async Task<string> GetOnBehalfOfTokenAsync(string authority, string resource, string scope = "", string token = "") { AuthenticationResult output; var clientId = ConfigurationManager.AppSettings["API-B-ClientId"]; // Read certificate which can be used for getting token to API B using ClientAssertionCertificate // GetCert() is used to get the Certificate based on Thumbprint configured in Web.config file. var certificate = this.GetCert(); // 'authority' is https://login.microsoftonline.com/{tenant id} var authContext = new AuthenticationContext(authority); var cllientCertificateCredential = new ClientAssertionCertificate(clientId, certificate); // 'token' is the user token which was received from Cortana. var userAssertion = (!string.IsNullOrWhiteSpace(token)) ? new UserAssertion(token, "urn:ietf:params:oauth:grant-type:jwt-bearer", TokenHelper.ExtractUserInfoFromAuthToken(token, "upn")) : null; try { // 'resource' is the Resource Id of API B // if UserAssertion is null then get token with ClientAssertionCertificate else get // on-behalf-of token using UserAssertion and ClientAssertionCertificate if (userAssertion == null) { output = await authContext .AcquireTokenAsync(resource, cllientCertificateCredential) .ConfigureAwait(false); } else { output = await authContext .AcquireTokenAsync(resource, cllientCertificateCredential, userAssertion) .ConfigureAwait(false); } } catch (Exception ex) { logger.log("Error acquiring the AAD authentication token", ex); } return output.AccessToken; }
7. 在此步骤获得上述异常： output = await authContext .AcquireTokenAsync(resource, cllientCertificateCredential, userAssertion) .ConfigureAwait(false);