Question

我正试图通过我的“网络8”批准“积极名录”用户进入下一个JS客户申请(使用msal-react),以便他们能够使用[Authorize]终端。然而,在将客户JWT送至我的APIC时,我收到了401份答复和我的APIC标志。

I have registered both applications through Azure s App registrations. In my API registration, I have exposed my API to authorize my client app through a single scope, access_as_user. I have confirmed this in my client s registration as a Delegated permission.

>>

在我的“网络”中,Im打上了我的<代码>AzureAd配置,载于appdings.json。

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Domain": "qualified.domain.name",
  "TenantId": "My-TENANT-ID",
  "ClientId": "MY-CLIENT-ID",
  "Scopes": "access_as_user",
  "CallbackPath": "/signin-oidc"
},

I then add authentication to my services in my Program.cs

...
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(config.GetSection("AzureAd"));
...
app.UseAuthorization();
app.UseAuthentication();
...

最后,我设立了单一<代码>的简单控制器。

[Controller]
[Route("api")]
public class GeneralController : Controller
{
    [Authorize]
    [HttpGet("get")]
    public Task<IActionResult> Test()
    {
        return Task.FromResult<IActionResult>(Ok());
    }
}

In my client application, I retrieve my token after a user logs in with Azure AD.

const { instance, accounts } = useMsal();
...
instance.acquireTokenSilent({
   scopes: [
     "api://API-CLIENT-ID/access_as_user",
   ],
     account: account,
})

I m 能够记录客户检索的标语,并在使用https://jwt.io/时, 我可以将《维也纳条约法公约》编码,以找到以下相关特性:

{
  "aud": "API-CLIENT-ID",
  "iss": "https://login.microsoftonline.com/CLIENT-TENANT-ID/v2.0",
  "azp": "CLIENT-CLIENT-ID",
  "name": "LOGGED-IN-USER-NAME",
  "scp": "access_as_user",
  "tid": "CLIENT-TENANT-ID",
  "ver": "2.0"
}

However, when I include this token in a request s Authorization header to the general endpoint I set up, I receive a 401 response and the following logs from my API:

info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed. These requirements were not met:
      DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
      AuthenticationScheme: Bearer was challenged.

Answer 1

您在供您客户使用的“反倾销”申请中披露了您的意向书,请参见AAD的附录1,然后,我想知道您是否在AAD网站版(小册子)中添加了这一“反转录”。如果不是的话,插头在图2中添加了APIC的许可;APIC的许可;加上许可的――和;我的Amers->然后增加你获得的许可。

随后,在您的APIC项目中,将财产添加到您的评分中。 json。你们有2个AAD app。

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Domain": "qualified.domain.name",
  "TenantId": "My-TENANT-ID",
  "ClientId": "APP2_MY-CLIENT-ID",
  "Scopes": "access_as_user",
  "Audience": "clientid_of_the_app_exposed_api_which_should_be_id_if_app1"
},

这样,如果只有1个阿拉伯开发协会在客户认证申请中和在支持的APIC项目中都使用过它,那么发放APIC和增加APIC许可时,就应当在同一份申请中操作,那么我们就没有必要在评估中设定受众。 json(受众线)。

友情链接