問題描述

我有一個 API 應用程序在網關主機上運行良好，現在網關主機已被棄用，我正在嘗試遵循 遷移指南.我已經使用 2.8.1 SDK 重新部署了我的服務，并且可以使用 AAD 或 Microsoft 帳戶使用瀏覽器登錄該服務，并使用 Swagger 測試該服務.但是，我試圖讓客戶端使用 ClientId 和 Secret 訪問服務.該代碼能夠從 AAD 獲取訪問令牌，但每當我嘗試訪問其中一項服務資源時，總是會收到 401 錯誤.

I have an API app that has been working fine with a Gateway Host and now that the gateway host is being deprecated I'm trying to follow the Migration Guide. I've redeployed my service using the 2.8.1 SDK and can log into the service with a browser using AAD or a Microsoft account and use Swagger to test the service. However, I'm trying to get a client to access the service using a ClientId and Secret. The code is able to get the access token from AAD but I always get a 401 error whenever I try to access one of the service resources.

當我調試服務時，我在日志中看到以下內容:

When I debug the service I see the following in the log:

Microsoft.Azure.AppService.Authentication Verbose: 0 : Received request: GET https://[myService].azurewebsites.net/api/[myResource]
Microsoft.Azure.AppService.Authentication Warning: 0 : JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://[myService].azurewebsites.net/'. Did not match:  validationParameters.ValidAudience: '[AAD ClientId]' or validationParameters.ValidAudiences: 'http://[myService].azurewebsites.net'.
Microsoft.Azure.AppService.Authentication Information: 0 : Sending response: 401.71 Unauthorized
The thread 0x3b00 has exited with code 0 (0x0).

問題似乎在于，請求的受眾是 https，但 validParameters.ValidAudiences 集合僅包含 http.

What appears to be the issue is that the Audience presented with the request is https but the validParameters.ValidAudiences collection only contains http.

我看不到任何配置受眾的方式，并且似乎在 Visual Studio 2015 創建應用服務時正在設置基于 http 的受眾.有沒有手動編輯 ValidAudience 集合的方法?

I can't see any way of configuring the Audience and it appears that the http based audience is being set when Visual Studio 2015 creates the App Service. Is there a way of manually editing the ValidAudience collection?

作為參考，我的客戶端代碼是:

For reference my client code is:

    private static void Main(string[] args)
    {
        string app_id_url = "https://[myService].azurewebsites.net/";
        string authority = "https://login.windows.net/[myDirectory].onmicrosoft.com/";
        string clientId = "[AAD ClientId]";
        string clientSecret = "[AAD Client Secret]";
        string apiBaseUrl = "https://[myService].azurewebsites.net/";

        string aadToken = GetTokenForApplication(authority, clientId, clientSecret, app_id_url);

        var apiClient = new HttpClient { BaseAddress = new Uri(apiBaseUrl) };
        apiClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", aadToken);
        var apiResponse = apiClient.GetAsync(apiBaseUrl + @"api/[myResource]").Result;
        string apiResponseContent = apiResponse.Content.ReadAsStringAsync().Result;
        Console.WriteLine(apiResponseContent);
    }

    public static string GetTokenForApplication(string authority, string clientId, string clientSecret, string resourceUrl)
    {
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
        ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
        AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resourceUrl, clientCred);
        string token = authenticationResult.AccessToken;
        return token;
    }

推薦答案

您的問題與有效受眾有關.您可能有 2 個選擇:

Your problem have something to do with the valid audiences. You may have 2 choices:

選項 1. 嘗試使用 WebAPI 客戶端 ID 作為 AcquireToken 方法的資源"參數而不是其 Uri 獲取令牌.

Option 1. Try to acquire the token with the WebAPI client ID as the AcquireToken method 'resource' parameter, instead of its Uri.

選項 2.如果以前的方法不起作用，您應該使用 Azure 資源資源管理器.導航到您的 Web API，在 config 節點下找到 authSettings JSON 文檔，并修改(在更改為讀/寫模式后)數組 allowedAudiences以滿足您的需求.在您的情況下，您可能需要將 http 更改為 https