我有一个Azure应用服务,我在其上启用了身份验证/授权,并将AD配置为身份验证提供程序.
@H_502_2@所有/.auth路由都存在于服务上,我可以登录.成功登录后,我可以调用/.auth/me来获取access_token.响应如下:
[
{
"access_token": "AQABAAAAAA...Gni4EiQgAA","expires_on": "2017-02-28T19:17:08.0000000Z","id_token": JWT TOKEN
...
}
]
@H_502_2@然后,我使用授权承载头中的access_token从服务请求数据.
"Authorization": "Bearer " + "AQABAAAAAA...Gni4EiQgAA"@H_502_2@我的服务返回以下错误
IDX10708: 'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'AQABAAAAAA...Gni4EiQgAA'. The string needs to be in compact JSON format,which is of the form: '<Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<OPTIONAL,Base64UrlEncodedSignature>'.@H_502_2@根据this discussion,access_token旨在用作承载令牌.我还读过here,access_token应该是base64编码的,但似乎并非如此. @H_502_2@此外,如果我使用id_token作为承载令牌,则身份验证按预期工作(id_token是JWT格式). @H_502_2@编辑 @H_502_2@当我按照here所述手动实现Oauth流时,我收到了一个正确的JWT access_token.
GET https://login.microsoftonline.com/common/oauth2/authorize?client_id=client_id&response_type=code&redirect_uri=redirect_uri@H_502_2@其次是
POST
https://login.microsoftonline.com/common/oauth2/token
grant_type=authorization_code
client_id=client_id
code=CODE FROM ABOVE
redirect_uri=redirect_uri
resource=resource
client_secret=client_secret
RESPONSE
{
"access_token": JWT TOKEN,"token_type": "Bearer",...
}
解决方法
@H_502_2@How to get Azure easy auth JWT access_token@H_502_2@根据您的描述,我启用了身份验证/授权,并将AD配置为身份验证提供程序以测试此问题.众所周知,当您在Azure门户上启用身份验证/授权时,默认的response_type是id_token.您需要登录https://manage.windowsazure.com并更新App Service Auth Configuration,如下所示: @H_502_2@ @H_502_2@注意:如果未指定additionalLoginParams的资源,则将检索不是JSON Web Token(JWT)格式的access_token.
@H_502_2@I then use the access_token in an authorization bearer header to request data from the service.@H_502_2@要访问您的服务,您可以使用AppServiceAuthSession cookie,也可以使用Authorization:Bearer“{your-id-token}”. @H_502_2@有关更多详细信息,请参阅此类似的tutorial.
