【问题标题】:You do not have permission to view this directory or page. error when using Azure AD to authenticate API您无权查看此目录或页面。使用 Azure AD 对 API 进行身份验证时出错
【发布时间】:2019-10-03 18:47:30
【问题描述】:

当我们尝试使用部署到 azure 的 API 之一时收到以下错误:

“您无权查看此目录或页面。”

根据大量教程,我们在 Azure 中设置并注册了一个 API 应用程序。然后对此启用了 AD 身份验证,但是看起来我们缺少权限或范围,即使我们传递从以下位置生成的访问令牌,邮递员也无法访问 API:

https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

我们注意到访问令牌中没有任何范围、角色和权限。但是不确定必须在哪里添加,甚至尝试在清单中添加新范围。查看诊断日志,“最可能的原因”被指定为:

“经过身份验证的用户无权访问处理请求所需的资源。”

正在生成访问令牌:

{
   "aud": "https://xxxxxxxxxxxxxxxxxxxx.azurewebsites.net",
   "iss": "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxx/",
   "iat": 1234343434,
   "nbf": 1234343434,
   "exp": 1234343434,
   "aio": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=",
   "appid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
   "appidacr": "1",
   "idp": "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxx/",
   "oid": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
   "sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
   "tid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
   "uti": "xxxxxxxxxxxxxxxxxxxxxx",
   "ver": "1.0"
 }

邮递员生成的获取上面token的代码:

var client = new RestClient("https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token");
var request = new RestRequest(Method.GET);
request.AddHeader("cache-control", "no-cache");
request.AddHeader("Connection", "keep-alive");
request.AddHeader("content-length", "195");
request.AddHeader("accept-encoding", "gzip, deflate");
request.AddHeader("cookie", "fpc=AvF4ZvXAqUBPt5LOy7AEkVQIjAwtAQAAANhCb9QOAAAA; x-ms-gateway-slice=prod; stsservicecookie=ests");
request.AddHeader("Host", "login.microsoftonline.com");
request.AddHeader("Postman-Token", "b38e8e03-97f6-4d52-82fd-d9bec59de767,c13da490-096c-4847-8122-39d028d9625e");
request.AddHeader("Cache-Control", "no-cache");
request.AddHeader("Accept", "*/*");
request.AddHeader("User-Agent", "PostmanRuntime/7.11.0");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("undefined", "grant_type=client_credentials&client_id={clientId}&scope=https%3A%2F%2Fxxxxxxxx.azurewebsites.net%2F.default&client_secret={clientSecret}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

尝试使用访问令牌并收到错误消息时生成的代码:

var client = new RestClient("https://xxxxxxxxxxxxxxxxxx.azurewebsites.net/api/Status/xxxxxxx");
var request = new RestRequest(Method.GET);
request.AddHeader("cache-control", "no-cache");
request.AddHeader("Connection", "keep-alive");
request.AddHeader("accept-encoding", "gzip, deflate");
request.AddHeader("cookie", "ARRAffinity=249d53bdc28cc342edb4965228850aa72a8304630357254128300b6abf863e83");
request.AddHeader("Host", "xxxxxxxxxxxxxxxxxxx.azurewebsites.net");
request.AddHeader("Postman-Token", "7a9e0638-90cf-41c6-b6bf-0eea11aca929,95980a03-ef39-4c1e-af35-65bec0aaa903");
request.AddHeader("Cache-Control", "no-cache");
request.AddHeader("Accept", "*/*");
request.AddHeader("User-Agent", "PostmanRuntime/7.11.0");
request.AddHeader("Authorization", "Bearer {bearerToken}");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
IRestResponse response = client.Execute(request);

【问题讨论】:

  • 令牌调用中的信息会更有用
  • 邮递员生成的请求,谢谢
  • 您尚未共享您进行的调用,包括标题、正文、参数等。

标签: azure api authentication permissions bearer-token


【解决方案1】:

要获取令牌,您需要对 ma​​nagement.azure.com

进行 POST 调用

不久前,我在下面的链接中汇总了信息,以帮助阐明使用 RestApi(在本例中为 Postman)管理 Azure 的步骤。

https://github.com/hhazeley/Azure-Postman

【讨论】:

    猜你喜欢
    • 2016-09-02
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2021-01-29
    • 2021-01-07
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多