我在调用使用应用服务级别的内置身份验证/授权保护的 Azure Web 应用服务应用程序 (REST API) 时遇到问题。
上下文:
- 部署在 Azure Web 应用服务中的 REST API;
- 应用程序通过 Azure Web App Service 内置身份验证/授权功能进行保护;
- 本地脚本对其进行身份验证
目标应用程序是一个简单的 Spring Boot 应用程序,其端点 /test 返回 Test OK。不处理应用程序本身的安全性,目标是测试是否可以在“基础设施”方面处理它,这意味着无需开发服务。
配置如下:
应用程序注册是按照 this guide 完成的.
作为客户,我正在使用 Microsoft 提供的示例 here不同之处在于请求是针对目标应用程序而不是 Microsoft Graph 进行的。
为此,使用以下配置文件:
{
"authority": "https://login.microsoftonline.com/<my_tenant_id>",
"client_id": "<my_client_id>",
"scope": ["<API URI ( in form of api://GUID)>/.default"],
"secret": "<my_client_secret>",
"endpoint": "target_application_endpoint"
}
当我运行它时,我得到 HTTP 401 和以下 json 响应正文:
{
"code": 401,
"message": "IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'."
}
我还使用了与之前的库 (adal) 相同的示例,并且我可以在 Postman 中复制流程并获得相同的结果,因此我认为代码示例不存在任何问题。
这表明 token 的发行者不相同,但是当我访问 Kudu 中的应用程序设置时,我有以下内容:
{
"deployment_branch": "master",
"SCM_TRACE_LEVEL": "Verbose",
"SCM_COMMAND_IDLE_TIMEOUT": "60",
"SCM_LOGSTREAM_TIMEOUT": "7200",
"SCM_BUILD_ARGS": "",
"WEBSITE_AUTH_MSA_SCOPE": "",
"ScmType": "VSTSRM",
"WEBSITE_AUTH_UNAUTHENTICATED_ACTION": "RedirectToLoginPage",
"WEBSITE_AUTH_AUTO_AAD": "False",
"WEBSITE_AUTH_OPENID_ISSUER": "https://login.microsoftonline.com/<my_tenant_id>/",
"WEBSITE_AUTH_LOGOUT_PATH": "/.auth/logout",
"WEBSITE_AUTH_RUNTIME_VERSION": "~1",
"WEBSITE_SITE_NAME": "<my_app_service_name>",
"WEBSITE_AUTH_FB_SCOPE": "",
"WEBSITE_AUTH_TOKEN_STORE": "False",
"WEBSITE_AZMON_ENABLED": "True",
"WEBSITE_AUTH_ENABLED": "True",
"FUNCTIONS_RUNTIME_SCALE_MONITORING_ENABLED": "0",
"WEBSITE_AUTH_ALLOWED_AUDIENCES": "<my_client_app_id_in_app_registrations>",
"WEBSITE_HTTPLOGGING_RETENTION_DAYS": "15",
"REMOTEDEBUGGINGVERSION": "16.0.28729.10",
"SCM_USE_LIBGIT2SHARP_REPOSITORY": "0",
"WEBSITE_AUTH_CLIENT_ID": "<my_target_app_id_in_app_registrations>",
"WEBSITE_AUTH_DEFAULT_PROVIDER": "AzureActiveDirectory"
}
有关此问题的任何提示或有关配置错误的提示吗?
<小时/>编辑:添加应用程序注册 list
目标应用 list
{
"id": "<target_app_registration_id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": "2",
"addIns": [],
"allowPublicClient": false,
"appId": "<target_app_id>",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Accesses the TodoListService-Cert as an application.",
"displayName": "access_as_application",
"id": "<app_role_unique_ID>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "access_as_application"
}
],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-06-02T13:23:22Z",
"groupMembershipClaims": null,
"identifierUris": [
"api://<target_app_id>"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "Rule Engine",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [
{
"adminConsentDescription": "Test service",
"adminConsentDisplayName": "Test service",
"id": "<exposed_api_id_1>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": null,
"userConsentDisplayName": null,
"value": "service"
},
{
"adminConsentDescription": "Test",
"adminConsentDisplayName": "Test",
"id": "<exposed_api_id_2>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": null,
"userConsentDisplayName": null,
"value": "Test.Test"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [
{
"appId": "<client_app_id>",
"permissionIds": [
"<exposed_api_id_2>",
"<exposed_api_id_1>"
]
}
],
"publisherDomain": "<tenant_name>",
"replyUrlsWithType": [
{
"url": "<app_url>",
"type": "Web"
}
],
"requiredResourceAccess": [
{
// Default accesses and also the User.AccessAll mentioned for the Graph API as in the docs
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "0e263e50-5827-48a4-b97c-d940288653c7",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [
"webApi",
"notApiConsumer"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}
客户端应用 list :
{
"id": "<client_app_registration_id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": "2",
"addIns": [],
"allowPublicClient": null,
"appId": "<client_app_id>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-06-02T12:02:17Z",
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "daemon_rest_client",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [],
"accessToken": [],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-30T23:00:00Z",
"keyId": "<client_secret_id>",
"startDate": "2020-06-02T12:06:51.305Z",
"value": null,
"createdOn": "2020-06-02T12:06:54.1593511Z",
"hint": "0CA",
"displayName": "test_rest_call"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "<tenant_name>",
"replyUrlsWithType": [],
"requiredResourceAccess": [
{
"resourceAppId": "<target_app_id>",
"resourceAccess": [
{
"id": "<exposed_api_id_2>",
"type": "Scope"
},
{
"id": "<exposed_api_id_2>",
"type": "Scope"
},
{
"id": "<app_role_unique_ID>",
"type": "Role"
}
]
},
{
// Default accesses and also the User.AccessAll mentioned for the Graph API as in the docs
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "0e263e50-5827-48a4-b97c-d940288653c7",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [
"apiConsumer",
"backgroundProcess"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}
为了合规性而省略的资源的 GUID。
最佳答案
我尝试了不同的场景来尝试重现您的问题,但遇到了很多麻烦,因为我在网络应用程序中使用身份验证来自动创建应用程序注册。 然后我随机改变变量试图让它失败。我让它失败的唯一方法是,我认为罗希特走在正确的轨道上,Accesstokenacceptedversion,当我将其设置为 2 时,它一直失败。尝试将其设置为 null,
关于Azure 应用服务身份验证/授权返回 HTTP 401 IDX10205 : Issuer validation failed,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62220873/