Azure active directory AADSTS50013:断言签名验证失败。[原因-找不到密钥,客户端使用的密钥指纹:';xxxx';
我有三个申请参与AzureAD海外建筑运营管理局流程:Azure active directory AADSTS50013:断言签名验证失败。[原因-找不到密钥,客户端使用的密钥指纹:';xxxx';,azure-active-directory,dynamics-crm,asp.net-core-2.0,Azure Active Directory,Dynamics Crm,Asp.net Core 2.0,我有三个申请参与AzureAD海外建筑运营管理局流程: 角度前端-->在AzureAD注册为OIDC应用程序 ASP.NET核心Web API-->在AzureAD注册为SAML应用程序 导航OData服务-->在AzureAD注册为SAML应用程序 下面是完整的流程: Angular前端应用程序将用户签名到Azure AD并请求Web API 1(ASP.NET核心Web API)的委托访问令牌 然后,客户机应用程序使用发布的访问令牌调用Web API 1 Web API 1反过来需
One or more errors occurred. (AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Thumbprint of key used by client: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']
Trace ID: afc20e5e-ebea-4546-af4b-820f48083e01
Correlation ID: b5d8d7b5-52d1-430d-af81-d34918970831
Timestamp: 2021-05-03 11:35:25Z)
有谁能帮我解决这个问题吗
在这种情况下,角锋使用隐式流
https://login.microsoftonline.com/<TenantId>/oauth2/v2.0/authorize?response_type=token&scope=api://xxxx--<WEB API 1>.default%20openid%20profile&client_id=<Application (client) ID>&redirect_uri=<ApplicationURL>&state=xxxx&nonce=yyyy&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=msal&login_hint=mytestaccount@mydomain.com&client-request-id=yyyyyy&prompt=none&response_mode=fragment
https://login.microsoftonline.com//oauth2/v2.0/authorize?response_type=token&scope=api://xxxx--.default%20openid%20profile&client\u id=&redirect\u uri=&state=xxxx&nonce=yyyy&client\u info=1&x-client-SKU=MSAL.JS&x-client-Ver=MSAL&login\u提示=mytestaccount@mydomain.com&客户端请求id=yyyyy&prompt=none&response\u mode=fragment
下面是收到的id_令牌:
{
"aud": "<Application (client) ID>",
"iss": "https://login.microsoftonline.com/<tenantid>/v2.0",
"iat": 1620380572,
"nbf": 1620380572,
"exp": 1620384472,
"aio": "AWQAm/8TAAAAIVowa1CNNUEB/tB/OcgatUBo9SzDJch09USynyiE+S+be6xkV9TczjRol4Td0czWrdsrzoqDBHUQxbAcnPT90InTNwLfYeHon5Vvk6eFsn2omrgpYlCj90QIXtIoduhd",
"email": "mytestaccount@mydomain.com",
"name": "mytestaccount, mytestaccount",
"nonce": "078bca2a-35ef-457d-96d8-92db7ac3d106",
"oid": "96035811-49f6-4246-923f-4edba4555e14",
"preferred_username": "mytestaccount@mydomain.com",
"rh": "0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",
"sub": "BAc2RwnOjKjv8vxtS0zOSQ0kgQ74zEvWJDmWnMoWdyM",
"tid": "36da45f1-dd2c-4d1f-af13-5abe46b99921",
"uti": "8r7u-zYcr0GSNUdl4STUAQ",
"ver": "2.0"
}
{
“澳元”:“,
“国际空间站”:https://login.microsoftonline.com//v2.0",
“iat”:1620380572,
“nbf”:1620380572,
“经验”:1620384472,
“aio”:“AWQAm/8TAAAAIVowa1CNNUEB/tB/OcgatUBo9SzDJch09USynyiE+S+BE6KV9TCZJROL4TD0CZWRDSRZOQDBHUQXBACNPT90INTNWLFYEON5VVK6EFSN2OMRGYLCJ90QIXTIODUHD”,
“电子邮件”:mytestaccount@mydomain.com",
“名称”:“mytestaccount,mytestaccount”,
“暂时性”:“078bca2a-35ef-457d-96d8-92db7ac3d106”,
“oid”:“96035811-49f6-4246-923f-4edba4555e14”,
“首选用户名”:mytestaccount@mydomain.com",
“右侧”:“0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA。”,
“sub”:“BAC2RWNOJKJV8VXTS0ZOSKGQ74ZEVWJDMWNMOWDYM”,
“tid”:“36da45f1-dd2c-4d1f-af13-5abe46b99921”,
“uti”:“8r7u-zYcr0GSNUdl4STUAQ”,
“版本”:“2.0”
}
用于访问WEB API 1的访问令牌:
{
"aud": "api://xxxx--<WEB API 1>",
"iss": "https://sts.windows.net/36da45f1-dd2c-4d1f-af13-5abe46b99921/",
"iat": 1620380574,
"nbf": 1620380574,
"exp": 1620384474,
"acr": "1",
"aio": "AVQAq/8TAAAAoi/awR8N8P1eapXNZfcGKhsy9uKyL6qv77raeIKYLOyZjXtsVKXMELCu+qZvKJtSaYm/nemvyUPc2OvJiPrvwpwrteqSU1iYM5C4xfPTxHo=",
"amr": [
"pwd",
"rsa",
"mfa"
],
"appid": "<Application (client) ID>",
"appidacr": "0",
"deviceid": "b55e39a3-f492-4679-83e2-53fcd024beba",
"email": "mytestaccount@mydomain.com",
"family_name": "mytestaccount",
"given_name": "mytestaccount",
"ipaddr": "xx.xx.xx.xx",
"name": "mytestaccount, mytestaccount",
"oid": "96035811-49f6-4246-923f-4edba4555e14",
"onprem_sid": "S-1-5-21-238447276-1040861923-1850952788-976396",
"rh": "0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",
"scp": "user_impersonation",
"sub": "F5atxEe7z2ooojdNoFhaAG_Xs2SBnnkYKJ4yCCWT1HA",
"tid": "36da45f1-dd2c-4d1f-af13-5abe46b99921",
"unique_name": "mytestaccount@mydomain.com",
"upn": "mytestaccount@mydomain.com",
"uti": "ll2WpznLGEq23DrUk4eoAQ",
"ver": "1.0"
}
{
“澳元”:api://xxxx--",
“国际空间站”:https://sts.windows.net/36da45f1-dd2c-4d1f-af13-5abe46b99921/",
“iat”:1620380574,
“nbf”:1620380574,
“经验”:1620384474,
“acr”:“1”,
“aio”:“AVQAq/8TAAAAoi/AWR8N8P1EAPXNZFCGKHSY9UKYL6QV77RAEIKYYZJXTSVKXMELCU+qZvKJtSaYm/NEMVYUPC2OVJIPRVWPRTEQSU1YM5C4XFPTXHO=”,
“amr”:[
“pwd”,
“rsa”,
“外交部”
],
“appid”:“,
“appidacr”:“0”,
“设备ID”:“b55e39a3-f492-4679-83e2-53fcd024beba”,
“电子邮件”:mytestaccount@mydomain.com",
“家族名称”:“mytestaccount”,
“给定名称”:“mytestaccount”,
“ipaddr”:“xx.xx.xx.xx”,
“名称”:“mytestaccount,mytestaccount”,
“oid”:“96035811-49f6-4246-923f-4edba4555e14”,
“onprem_sid”:“S-1-5-21-238447276-1040861923-1850952788-976396”,
“右侧”:“0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA。”,
“scp”:“用户模拟”,
“sub”:“F5ATXEE7Z2OOOJDNOFHAAGXS2SBNNKYKJ4YCCWT1HA”,
“tid”:“36da45f1-dd2c-4d1f-af13-5abe46b99921”,
“唯一名称”:mytestaccount@mydomain.com",
“upn”:mytestaccount@mydomain.com",
“uti”:“ll2WpznLGEq23DrUk4eoAQ”,
“版本”:“1.0”
}
我可以获得api 1和api 2的访问令牌。这是我的测试过程:
首先,我公开了API1的api,并添加了客户端应用程序
接下来,使用隐式流获取中间层api 1的访问令牌。在浏览器中请求id令牌和访问令牌
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid api://{api 1 client id}/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910
解析api 1的访问令牌
接下来,公开api 2的api,并将api 1添加为客户端应用程序
最后,使用获取api 2的访问令牌(注意:assertion
参数是api 1的访问令牌)
解析api 2的访问令牌
我认为这就是
范围的原因。您设置的范围是什么?WEB API1(ASP.NET核心API)和WEB API 2(NAV OData服务)都以“公开API”作为API公开Azure门户中存在选项。在API权限下的Angular前端应用程序级别,WEB API 1已添加类型:Delegate,同样,在WEB API 1级别,已添加访问WEB API 2(NAV OData服务)的权限类型:委派。作用域详细信息:a。Angular使用作用域调用ASP.NET核心API:api://xxxxxx/user_impersonation,b.ASP.NET核心API启动NAV OData服务,范围为:api://yyyyyyy/user_impersonationParse 您的api 1和api 2访问令牌并提供屏幕截图。我已经用id_令牌和accesst更新了问题oken用于WEB API1感谢@CarlZhao的详细回复。您能否帮助我了解您的案例API1是基于OIDC或SAML的应用程序,同样的问题也适用于API2。正如我的问题中提到的,在我的案例中,只有Angular前端注册为OIDC应用程序,而其他API1和API2注册为基于SAML的应用程序。是否我已经将所有应用程序设置为OIDC应用程序,并遵循上述示例。在测试海外建筑运营管理局流量时(获取第二个令牌)我收到错误:AADSTS50027:JWT令牌无效或格式不正确。\r\n空间ID:c683b4cf-f854-48d1-b9cb-48f4741a6200\r\n相关ID:89a37162-07e6-4589-a77c-6f23bb2274f9\r\n空间标记:2021-05-20 11:45:01Z“我能够解决上述问题。”