我在Angular中有一个SPA客户端,该客户端成功登录到Azure AD并生成令牌,然后将其通过Authorization: Bearer ${token}传递给.Net Core(3.0)API,然后尝试使用[Authorize]验证令牌以进行检查然后允许访问REST Api调用,我们仍在使用"ver": "1.0",并且JWT标头中没有随机数。我在ConfigureServices方法中有以下代码:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/common";
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = options.Authority,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = "{myClientID}",
IssuerValidator = (issuer, token, parameter) => "https://sts.windows.net/{MyIssuer}/"
};
});
services.AddAuthorization(options =>
{
options.DefaultPolicy =
new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.Build();
});
当我使用locahost运行项目时,它工作正常,但是将代码部署到服务器上,却出现以下错误消息:
Exception occurred while processing message.
Exception:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/common/.well-known/openid-configuration'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/common/.well-known/openid-configuration'.
---> System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it.
---> System.Net.Sockets.SocketException (10061): No connection could be made because the target machine actively refused it.
at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
以上消息表明我不允许某些人连接到该站点进行验证,我的参数正确吗?我使用jwt.io检查令牌,它说签名有效,并且在正文上可以看到期望的"aud:","iss:" "amr":["pwd"]等值。我是Azure AD和令牌验证的新手,所以请耐心等待。我有什么想念的吗?谢谢
该错误是由于该应用无法连接到Azure AD元数据终结点而引起的。它需要从一开始就从那里加载配置,包括应用可以用来验证令牌签名的公共密钥。
要么是某种原因阻止了连接(例如防火墙),要么Azure AD已关闭(极不可能)。