Azure ad b2c B2C OAuth2 API错误:签名验证失败。无法解析SecurityKeyIdentifier:&x27;SecurityKeyIdentifier
我花了相当多的时间让我们的.NET MVC web应用程序与Azure Active Directory B2C集成,并取得了相当的成功,使用自定义配置文件允许其他Azure Active Directory的用户登录到我们 现在我想合并一个API,大致遵循以下过程: 我之所以这么说,大概是因为我正试图将此功能融入一个已经开发了几个月的应用程序中 我正在使用Postman点击此URL a并获得一个承载令牌: 我使用grant_type=client_凭证,以及在Active Directory中指定的client_id和client_secret(添加到“非B2C”应用程序注册刀片中,因为B2C显然还不支持client_凭证流) 它似乎工作正常,我得到的回应如下:Azure ad b2c B2C OAuth2 API错误:签名验证失败。无法解析SecurityKeyIdentifier:&x27;SecurityKeyIdentifier,azure-ad-b2c,Azure Ad B2c,我花了相当多的时间让我们的.NET MVC web应用程序与Azure Active Directory B2C集成,并取得了相当的成功,使用自定义配置文件允许其他Azure Active Directory的用户登录到我们 现在我想合并一个API,大致遵循以下过程: 我之所以这么说,大概是因为我正试图将此功能融入一个已经开发了几个月的应用程序中 我正在使用Postman点击此URL a并获得一个承载令牌: 我使用grant_type=client_凭证,以及在Active Director
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1513906161",
"not_before": "1513902261",
"resource": "00000002-0000-0000-c000-000000000000",
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ing0Nzh4eU9wbHNNMUg3TlhrN1N4MTd4MXVwYyIsImtpZCI6Ing0Nzh4eU9wbHNNMUg3TlhrN1N4MTd4MXVwYyJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83YjY1ZDY0NC0xNDM0LTQxZDQtYTFhMC04MjVlZjgwOTAyZDMvIiwiaWF0IjoxNTEzOTAyMjYxLCJuYmYiOjE1MTM5MDIyNjEsImV4cCI6MTUxMzkwNjE2MSwiYWlvIjoiWTJOZ1lKaTJWbkhKTXQwNUcrZmMrL2pFNmRQLzdRQT0iLCJhcHBpZCI6IjZkZmVkNGVkLTU2ZDktNDQ5Ny04M2JhLTkzOWJmNGI3OGUyNSIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzdiNjVkNjQ0LTE0MzQtNDFkNC1hMWEwLTgyNWVmODA5MDJkMy8iLCJvaWQiOiIxYTYxNGM5Yy00Nzc5LTQ2OTctOThjNC05OWNlZTJlZTVkY2IiLCJzdWIiOiIxYTYxNGM5Yy00Nzc5LTQ2OTctOThjNC05OWNlZTJlZTVkY2IiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiTkEiLCJ0aWQiOiI3YjY1ZDY0NC0xNDM0LTQxZDQtYTFhMC04MjVlZjgwOTAyZDMiLCJ1dGkiOiJjV2lzVmxDRDEwdW9Ra3BHbWRBdkFBIiwidmVyIjoiMS4wIn0.BiXHI5Sp0t2k_npJYdWjclSXGOMbxniR8G1ifOCNUuiNUZRFG6DsbIqkJEBXSFFUxQpvtGkBaI5oF2u4oJ5Ed37thh_gOLJ1TKBaubGusv7vgUVoIk9A5F8H_HeX57zyRR2XU3czdSC4uZC_XpVwV7eT4-Z4bNooL0WJi1ZNx6ZFBC4qktNf7yifc7-iAEEDTWj3clwA81RJwAe9YbUMI3q640sNg8QlrZDiKFzuEuFocHces0bAYSyfLu5cwDw2wvJwQzYEMahjQ3V7RXpqg-YktsUoSTkLOHm7QNrM2Pko8ZAye58O-nTv1gD5yYDZ8st74x4MUHhNZhaR44byjw"
{"Message":"Authorization has been denied for this request."}
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 2,
Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xC78EFCC723A996C3351FB35793B4B1D7BC75BA97),
Clause[1] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token: '{"typ":"JWT","alg":"RS256","x5t":"x478xyOplsM1H7NXk7Sx17x1upc","kid":"x478xyOplsM1H7NXk7Sx17x1upc"}.{"aud":"00000002-0000-0000-c000-000000000000","iss":"https://sts.windows.net/7b65d644-1434-41d4-a1a0-825ef80902d3/","iat":1513901664,"nbf":1513901664,"exp":1513905564,"aio":"Y2NgYPg7bbbRmu/aXjwejXZs73e5AgA=","appid":"6dfed4ed-56d9-4497-83ba-939bf4b78e25","appidacr":"1","idp":"https://sts.windows.net/7b65d644-1434-41d4-a1a0-825ef80902d3/","oid":"1a614c9c-4779-4697-98c4-99cee2ee5dcb","sub":"1a614c9c-4779-4697-98c4-99cee2ee5dcb","tenant_region_scope":"NA","tid":"7b65d644-1434-41d4-a1a0-825ef80902d3","uti":"5nMOpv6eok60JyzWwksuAA","ver":"1.0"}
RawData: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ing0Nzh4eU9wbHNNMUg3TlhrN1N4MTd4MXVwYyIsImtpZCI6Ing0Nzh4eU9wbHNNMUg3TlhrN1N4MTd4MXVwYyJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83YjY1ZDY0NC0xNDM0LTQxZDQtYTFhMC04MjVlZjgwOTAyZDMvIiwiaWF0IjoxNTEzOTAxNjY0LCJuYmYiOjE1MTM5MDE2NjQsImV4cCI6MTUxMzkwNTU2NCwiYWlvIjoiWTJOZ1lQZzdiYmJSbXUvYVhqd2VqWFpzNzNlNUFnQT0iLCJhcHBpZCI6IjZkZmVkNGVkLTU2ZDktNDQ5Ny04M2JhLTkzOWJmNGI3OGUyNSIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzdiNjVkNjQ0LTE0MzQtNDFkNC1hMWEwLTgyNWVmODA5MDJkMy8iLCJvaWQiOiIxYTYxNGM5Yy00Nzc5LTQ2OTctOThjNC05OWNlZTJlZTVkY2IiLCJzdWIiOiIxYTYxNGM5Yy00Nzc5LTQ2OTctOThjNC05OWNlZTJlZTVkY2IiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiTkEiLCJ0aWQiOiI3YjY1ZDY0NC0xNDM0LTQxZDQtYTFhMC04MjVlZjgwOTAyZDMiLCJ1dGkiOiI1bk1PcHY2ZW9rNjBKeXpXd2tzdUFBIiwidmVyIjoiMS4wIn0.mPzogfR2ndo89P-qWIypdPjrrBb0uEOO0Fo-H164C4Rm21zFQpkwVSFe-NP4MtvMnB5fJdhzGxzPDACFHBiQi7k7ZZVGv5bWaIbhGlPmKCQ1j6XaweYp7pm66R-RIsokZvR87nJ4ZkvYJIkuxnXPjChC-3FjsLDf43FKcByDPvvJKpVj48JW9N79vq77HQ2w8bnq172zOUflxGbuC2nDiwzkgWQiFboL-H3LLUxHqZHeE46u7pDSOrE3DSY1F5aPqBq1IDCg6ELcBcaLN27509oAH2rghkvXjHWOs9Nw3tszVoza7CpEGV7fjtSGN874GV_vx-ziqIOf1EgSBPEH6Q'.
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(String protectedText)
at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()
Microsoft.Owin.Security.OAuth.oauthBeareAuthenticationMiddleware错误:0:身份验证失败
System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException:IDX10500:签名验证失败。无法解析SecurityKeyIdentifier:“SecurityKeyIdentifier”
(
IsReadOnly=False,
计数=2,
第[0]条=X509ThumbprintKeyIdentifierClause(散列=0xC78EFCC723A996C3351FB355793B4B1D7BC75BA97),
第[1]条=System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
代币:{“类型”:“JWT”,“alg”:“RS256”,“x5t”:“x478xyOplsM1H7NXk7Sx17x1upc”,“kid”:“x478xyOplsM1H7NXk7Sx17x1upc”}。{“aud”:“00000002-0000-0000-c000-00000000”,“iss”:https://sts.windows.net/7b65d644-1434-41d4-a1a0-825ef80902d3/“,“iat”:1513901664,“nbf”:1513901664,“exp”:1513905564,“aio”:“Y2NGYPG7BBRMU/aXjwejXZs73e5AgA=”,“appid”:“6dfed4ed-56d9-4497-83ba-939bf4b78e25”,“应用程序”:“1”,“idp”:”https://sts.windows.net/7b65d644-1434-41d4-a1a0-825ef80902d3/“,”oid“:”1a614c9c-4779-4697-98c4-99cee2ee5dcb“,”sub“:”1a614c9c-4779-4697-98c4-99cee2ee5dcb“,”租户区域范围“:”NA“,”tid“:”7b65d644-1434-41d4-a1a0-825ef80902d3“,”uti“:”5nMOpv6eok60JyzWwksuAA“,”版本“:”1.0“}”
原始数据:EYJ0Exiaioijkv1QIjHbGcjHbHnMug3TlHn1n4mtd4mVwyyismTpZi6nzHbHnMug3TlHbHn4mVwyJ9.EYJHdQiWmDawLtAwMdAwMdAwMdDawMdPc3n3n3n3n3n2n5n2n2n2n2n2n2n2n2n5d5d5d5lHb3n5lHbHbHbHbHbHbHn3n3n4mHbHbHn3n3n3n3n3n4mHbHn3n4mHn4mHn4mHbHn4mHn4mHn3n4mHn4mHn4mHn4mHn3n4n4n6MTUxMzWntu2ncwiywlvijoinz1lqzdiymjsbxuvyvhqd2vqwfpznznznzfnqt0ilcHchbPzczmznznznzdzdznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznznz中国政府对ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZF43FKCBYDPVVJKPVJ48JW9N79vq77HQ2w8bnq172zOUflxGbuC2nDiwzkgWQiFboL-H3LLUXHQZHEE46U7PDSORE3DSY1F5APQBQ1IDCG6ELCBCALN27509OAH2RGHKVXJHWOS9NW3TSVOZA7CPEGV7FJTSGN874GV_vx-ZIQ1EGSBPEH6Q'。
位于System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(字符串标记、TokenValidationParameters和validationParameters)
位于System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(字符串securityToken、TokenValidationParameters、validationParameters、securityToken和validatedToken)
位于Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(字符串protectedText)
在Microsoft.Owin.Security.OAuth.OAuthBeareAuthenticationHandler.d_u0.MoveNext()中
我缺少什么?您链接的示例演示了如何使用Azure AD B2C保护和调用web API。您似乎正在尝试获取Azure AD令牌,然后尝试使用该令牌登录到使用Azure AD B2C保护的API
虽然Azure AD B2C不支持客户端凭据,但您似乎不需要客户端凭据流。客户端凭据流用于API到API的调用。如果您想从用户正在登录的应用程序调用API,可以使用访问令牌。请查看此文档:Hmm。是的,我们已经保护了应用程序和应用程序B2C的API。我们现在想公开一个可以从外部后端服务调用的API,以进行一些数据上传。该API不打算使用cookie和/或交互用户调用。我们采用这种方法,允许外部广告用户通过B2C进行身份验证:我希望该API能够通过客户端证书神奇地工作。I现在怀疑我们可能需要使用AD来保护API,因为B2C用户实际上不需要调用API。是的!!我能够通过Azure AD保护API并使用Postman执行API调用,同时在同一个项目中保留Azure B2C身份验证以供用户登录。我使用此示例作为API的指南:。您在钻机中指导了我ht方向,你想提出进一步的回答吗?我会接受的?