【发布时间】:2021-12-26 01:00:25
【问题描述】:
我正在开发一个包含以下组件的应用程序:
- API (ASP.NET Core)
- 网站
- 移动应用 (Xamarin.Forms)
用户已通过 Azure AD 进行身份验证,并且应收到持有者令牌以访问 API。对于网页,这按预期工作,但我似乎无法让它为移动应用程序工作。
我可以使用 Microsoft.identity.Client 库进行身份验证,并且确实收到了访问令牌。但是,此访问令牌不起作用,因为使用此令牌调用 API 返回 401 Unauthorized,并带有响应标头:
Www-Authenticate: Bearer error="invalid_token", error_description="The signature is invalid"
- 当我使用硬编码在移动应用中的 web 应用中的不记名令牌时,它可以工作。
- 当我比较这两个令牌时,我发现移动应用检索到的令牌是 v1 令牌,而不是 web 应用收到的 v2 令牌。
在 Azure 应用注册中,我注册了所有 3 个组件,并授予了网站和移动应用的 API 权限。
在移动应用中验证和获取访问令牌:
var app = PublicClientApplicationBuilder.Create(clientId)
.WithRedirectUri("msal116d9cbe-88ef-4b73-bae2-0d21c10df305://auth")
.WithIosKeychainSecurityGroup(this.configuration.IOSKeychainSecurityGroup)
.WithB2CAuthority("https://testorganisation.b2clogin.com/tfp/testorganisation.onmicrosoft.com/B2C_1_SignupSignin/")
.Build();
var scopes = new string[]
{
"openid",
"email",
"https://testorganisation.onmicrosoft.com/api/access_as_user"
}
var accounts = await this.app
.GetAccountsAsync()
await this.app
.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
.ExecuteAsync()
来自 Azure 的 API 应用注册清单:
{
"id": "b003da59-5a76-4083-99e6-bdb708feae16",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": true,
"appId": "9bf40874-747a-41d5-a3fe-2d0b1a3fcfa8",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2021-10-27T08:32:35Z",
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [
"https://testorganisation.onmicrosoft.com/api"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "testorganisation API",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Access the testorganisation API as a user",
"adminConsentDisplayName": "Access testorganisation API as user",
"id": "1e8c2b96-7b60-4a32-9145-1083e1fba86b",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "Admin",
"userConsentDescription": null,
"userConsentDisplayName": null,
"value": "access_as_user"
},
{
"adminConsentDescription": "Access the API as administrator",
"adminConsentDisplayName": "Access testorganisation API as admin",
"id": "63a54831-11a2-47f2-8e50-2872f1c25d5d",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "Admin",
"userConsentDescription": null,
"userConsentDisplayName": null,
"value": "access_as_admin"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "testorganisation.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "https://localhost:5001/swagger/oauth2-redirect.html",
"type": "Spa"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
},
{
"id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [
"notApiConsumer",
"webApi"
],
"tokenEncryptionKeyId": null
}
来自 Azure 的移动应用注册清单:
{
"id": "1cc5a0bc-13dc-4101-9cff-ace48ad4865d",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": true,
"appId": "116d9cbe-88ef-4b73-bae2-0d21c10df305",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2021-01-13T19:37:49Z",
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "testorganisation Mobile App",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "testorganisation.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "msal116d9cbe-88ef-4b73-bae2-0d21c10df305://auth",
"type": "InstalledClient"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "9bf40874-747a-41d5-a3fe-2d0b1a3fcfa8",
"resourceAccess": [
{
"id": "1e8c2b96-7b60-4a32-9145-1083e1fba86b",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
},
{
"id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [
"apiConsumer",
"mobileApp"
],
"tokenEncryptionKeyId": null
}
【问题讨论】:
-
为您的平台应用注册配置的
redirect URL是什么:移动应用和桌面应用? -
参考这里了解令牌formats。您可以在
app manifest文件中提及版本,请参阅ms doc page。 -
此链接(stackoverflow.com/questions/63755540/…) 可能对您有所帮助。
标签: c# xamarin.forms azure-active-directory jwt msal