Azure App Service身份验证/授权返回HTTP 401 IDX10205:发行者验证失败
问题描述 投票:0回答:1
我在通过应用服务级别的内置身份验证/授权来保护我的Azure Web应用服务应用(REST API)时遇到问题。
上下文:
- 在Azure Web App Service中部署的其余API;
- 应用程序通过Azure Web App Service内置的身份验证/授权功能进行保护;
- 本地脚本对此进行身份验证
目标应用程序是一个简单的Spring Boot应用程序,其端点/test返回Test OK。不处理应用程序本身的安全性,目的是测试它是否可以在“基础结构”侧进行处理,这意味着无需在服务上进行开发。
它的配置如下:
[this guide之后完成了应用程序注册。
[作为客户,我使用的是Microsoft提供的示例here,除了对目标应用程序而不是对Microsoft Graph的请求已完成。
为此,使用以下配置文件:
{
"authority": "https://login.microsoftonline.com/<my_tenant_id>",
"client_id": "<my_client_id>",
"scope": ["<API URI ( in form of api://GUID)>/.default"],
"secret": "<my_client_secret>",
"endpoint": "target_application_endpoint"
}
当我运行它时,我得到了HTTP 401和以下json respose主体:
{
"code": 401,
"message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'."
}
我还使用了与先前库(adal)相同的示例,并且可以在Postman中复制该流,并得到相同的结果,因此,我认为代码示例没有任何问题。
这表明令牌的发行者不相同,但是当我在Kudu中访问我的应用程序设置时,我会看到以下内容:
{
"deployment_branch": "master",
"SCM_TRACE_LEVEL": "Verbose",
"SCM_COMMAND_IDLE_TIMEOUT": "60",
"SCM_LOGSTREAM_TIMEOUT": "7200",
"SCM_BUILD_ARGS": "",
"WEBSITE_AUTH_MSA_SCOPE": "",
"ScmType": "VSTSRM",
"WEBSITE_AUTH_UNAUTHENTICATED_ACTION": "RedirectToLoginPage",
"WEBSITE_AUTH_AUTO_AAD": "False",
"WEBSITE_AUTH_OPENID_ISSUER": "https://login.microsoftonline.com/<my_tenant_id>/",
"WEBSITE_AUTH_LOGOUT_PATH": "/.auth/logout",
"WEBSITE_AUTH_RUNTIME_VERSION": "~1",
"WEBSITE_SITE_NAME": "<my_app_service_name>",
"WEBSITE_AUTH_FB_SCOPE": "",
"WEBSITE_AUTH_TOKEN_STORE": "False",
"WEBSITE_AZMON_ENABLED": "True",
"WEBSITE_AUTH_ENABLED": "True",
"FUNCTIONS_RUNTIME_SCALE_MONITORING_ENABLED": "0",
"WEBSITE_AUTH_ALLOWED_AUDIENCES": "<my_client_app_id_in_app_registrations>",
"WEBSITE_HTTPLOGGING_RETENTION_DAYS": "15",
"REMOTEDEBUGGINGVERSION": "16.0.28729.10",
"SCM_USE_LIBGIT2SHARP_REPOSITORY": "0",
"WEBSITE_AUTH_CLIENT_ID": "<my_target_app_id_in_app_registrations>",
"WEBSITE_AUTH_DEFAULT_PROVIDER": "AzureActiveDirectory"
}
有关此问题的任何提示或有关配置错误的提示?
EDIT:添加应用程序注册清单
目标应用清单
{
"id": "<target_app_registration_id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": "2",
"addIns": [],
"allowPublicClient": false,
"appId": "<target_app_id>",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Accesses the TodoListService-Cert as an application.",
"displayName": "access_as_application",
"id": "<app_role_unique_ID>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "access_as_application"
}
],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-06-02T13:23:22Z",
"groupMembershipClaims": null,
"identifierUris": [
"api://<target_app_id>"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "Rule Engine",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [
{
"adminConsentDescription": "Test service",
"adminConsentDisplayName": "Test service",
"id": "<exposed_api_id_1>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": null,
"userConsentDisplayName": null,
"value": "service"
},
{
"adminConsentDescription": "Test",
"adminConsentDisplayName": "Test",
"id": "<exposed_api_id_2>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": null,
"userConsentDisplayName": null,
"value": "Test.Test"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [
{
"appId": "<client_app_id>",
"permissionIds": [
"<exposed_api_id_2>",
"<exposed_api_id_1>"
]
}
],
"publisherDomain": "<tenant_name>",
"replyUrlsWithType": [
{
"url": "<app_url>",
"type": "Web"
}
],
"requiredResourceAccess": [
{
// Default accesses and also the User.AccessAll mentioned for the Graph API as in the docs
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "0e263e50-5827-48a4-b97c-d940288653c7",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [
"webApi",
"notApiConsumer"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}
客户端应用清单:
{
"id": "<client_app_registration_id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": "2",
"addIns": [],
"allowPublicClient": null,
"appId": "<client_app_id>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-06-02T12:02:17Z",
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "daemon_rest_client",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [],
"accessToken": [],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-30T23:00:00Z",
"keyId": "<client_secret_id>",
"startDate": "2020-06-02T12:06:51.305Z",
"value": null,
"createdOn": "2020-06-02T12:06:54.1593511Z",
"hint": "0CA",
"displayName": "test_rest_call"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "<tenant_name>",
"replyUrlsWithType": [],
"requiredResourceAccess": [
{
"resourceAppId": "<target_app_id>",
"resourceAccess": [
{
"id": "<exposed_api_id_2>",
"type": "Scope"
},
{
"id": "<exposed_api_id_2>",
"type": "Scope"
},
{
"id": "<app_role_unique_ID>",
"type": "Role"
}
]
},
{
// Default accesses and also the User.AccessAll mentioned for the Graph API as in the docs
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "0e263e50-5827-48a4-b97c-d940288653c7",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [
"apiConsumer",
"backgroundProcess"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}
为了遵循而省略了资源的GUID。
1个回答
0
投票
投票
我正在尝试不同的情况来尝试重现您的问题,因为我在Web应用程序中使用身份验证来自动创建应用程序注册,因此遇到了很多麻烦。然后我随机更改变量以尝试使其失败。我使它失败的唯一方法是因为rohit在正确的轨道上,我认为Accesstokenacceptedversion,当我将其设置为2时,它一直会失败。尝试将其设置为null,
最新问题
- 泽西岛客户端 javax.ws.rs.client.Client 未找到
- “-target arm64-apple-ios9999”中的版本号无效
- 如何在不对开发人员发出 CMake 警告的情况下获取内容(使用 -Wno-dev)?
- 这个编译器优化如何合法?
- 不能使用我自己的向量来将你自己的向量带入weaviate。默认为用于创建本地服务器的yml中指定的句子转换器
- 无法解决从“src/components/Pie/Pie.jsx”导入“@mui/x-charts/PieChart”的问题。文件存在吗?
- SIP INVITE 给拥有 2 条相同账户但不同 PBX 的客户
- 在中间件上下文中获取starlette请求体
- Dask 性能警告:回退到非 pyarrow 代码路径可能会降低性能
- 如何从WindowsApps文件夹运行MAUI exe
- 如何测试控制器方法回显某些内容?
- 如何放置不等号(<=) in the rows of a table with grid.table in R
- “vlookup”有两个条件,在 python 中没有循环
- 如何通过表格内的拖动选项实现滚动,并带有粘性标题和滚动正文
- 选择插入的列Supabase
- 为什么我们可以使用 Node.js 镜像来 dockerize React 应用程序?
- Flutter 应用程序性能问题与长列表
- useState 在使用相同的通用表单使用选择性渲染进行注册和登录时不保留值
- 将查询结果直接添加到表单中,而不是使用新表并以设定的格式
- 如何清除WooCommerce产品零售价
© www.soinside.com 2019 - 2024. All rights reserved.