【发布时间】:2019-10-03 18:47:30
【问题描述】:
当我们尝试使用部署到 azure 的 API 之一时收到以下错误:
“您无权查看此目录或页面。”
根据大量教程,我们在 Azure 中设置并注册了一个 API 应用程序。然后对此启用了 AD 身份验证,但是看起来我们缺少权限或范围,即使我们传递从以下位置生成的访问令牌,邮递员也无法访问 API:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
我们注意到访问令牌中没有任何范围、角色和权限。但是不确定必须在哪里添加,甚至尝试在清单中添加新范围。查看诊断日志,“最可能的原因”被指定为:
“经过身份验证的用户无权访问处理请求所需的资源。”
正在生成访问令牌:
{
"aud": "https://xxxxxxxxxxxxxxxxxxxx.azurewebsites.net",
"iss": "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxx/",
"iat": 1234343434,
"nbf": 1234343434,
"exp": 1234343434,
"aio": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=",
"appid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"appidacr": "1",
"idp": "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxx/",
"oid": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"uti": "xxxxxxxxxxxxxxxxxxxxxx",
"ver": "1.0"
}
邮递员生成的获取上面token的代码:
var client = new RestClient("https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token");
var request = new RestRequest(Method.GET);
request.AddHeader("cache-control", "no-cache");
request.AddHeader("Connection", "keep-alive");
request.AddHeader("content-length", "195");
request.AddHeader("accept-encoding", "gzip, deflate");
request.AddHeader("cookie", "fpc=AvF4ZvXAqUBPt5LOy7AEkVQIjAwtAQAAANhCb9QOAAAA; x-ms-gateway-slice=prod; stsservicecookie=ests");
request.AddHeader("Host", "login.microsoftonline.com");
request.AddHeader("Postman-Token", "b38e8e03-97f6-4d52-82fd-d9bec59de767,c13da490-096c-4847-8122-39d028d9625e");
request.AddHeader("Cache-Control", "no-cache");
request.AddHeader("Accept", "*/*");
request.AddHeader("User-Agent", "PostmanRuntime/7.11.0");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("undefined", "grant_type=client_credentials&client_id={clientId}&scope=https%3A%2F%2Fxxxxxxxx.azurewebsites.net%2F.default&client_secret={clientSecret}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
尝试使用访问令牌并收到错误消息时生成的代码:
var client = new RestClient("https://xxxxxxxxxxxxxxxxxx.azurewebsites.net/api/Status/xxxxxxx");
var request = new RestRequest(Method.GET);
request.AddHeader("cache-control", "no-cache");
request.AddHeader("Connection", "keep-alive");
request.AddHeader("accept-encoding", "gzip, deflate");
request.AddHeader("cookie", "ARRAffinity=249d53bdc28cc342edb4965228850aa72a8304630357254128300b6abf863e83");
request.AddHeader("Host", "xxxxxxxxxxxxxxxxxxx.azurewebsites.net");
request.AddHeader("Postman-Token", "7a9e0638-90cf-41c6-b6bf-0eea11aca929,95980a03-ef39-4c1e-af35-65bec0aaa903");
request.AddHeader("Cache-Control", "no-cache");
request.AddHeader("Accept", "*/*");
request.AddHeader("User-Agent", "PostmanRuntime/7.11.0");
request.AddHeader("Authorization", "Bearer {bearerToken}");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
IRestResponse response = client.Execute(request);
【问题讨论】:
-
令牌调用中的信息会更有用
-
邮递员生成的请求,谢谢
-
您尚未共享您进行的调用,包括标题、正文、参数等。
标签: azure api authentication permissions bearer-token