我正在尝试通过 AzureAD 使用 OAuth2 来保护 APIM API,方法是阅读以下文章:通过 Azure AD 使用 OAuth 2.0 授权来保护 Azure API 管理中的 Web API 后端 https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
Azure APIM - OAuth2
- 授权端点 URL (v1):https://login.microsoftonline.com/{tenant}/oauth2/authorize https://login.microsoftonline.com/%7Btenant%7D/oauth2/authorize
- 令牌端点 URL (v1):https://login.microsoftonline.com/{tenant}/oauth2/token https://login.microsoftonline.com/%7Btenant%7D/oauth2/token
- 客户端 ID:客户端应用程序 ID
- 重定向 URI:(已弃用的门户):https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback
AzureAD - 后端应用程序:
AzureAD - 客户端应用程序:
- 密钥:xxx
- 重定向 url:仅适用于 APIM 中已弃用的门户(https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback)
For Demo Conference API, Add Validate JWT policy to Inbound processing where 3a0cf09b-
is tenant id and b7c31179-
is backend-app application id:
In Developer portal, the authentication to AzureAD is successful with a return token:
However the authorization is failed with calling the API:
检查 jwt.io 中收到的令牌,我发现"aud": "00000003-0000-0000-c000-000000000000"
不是后端应用程序应用程序 ID:
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/3a0cf09b-xxx/",
"app_displayname": "client-app",
"appid": "05a245fb-xxx",
"scp": "Files.Read User.Read profile openid email",
"tenant_region_scope": "OC",
"tid": "3a0cf09b-2952-4673-9ace-0e1bf69ee23a",
"unique_name": "[email protected] /cdn-cgi/l/email-protection",
}
API 测试 HTTP 响应跟踪显示 validate-jwt 上的错误:
validate-jwt (-0.138 ms)
{
"message": "JWT Validation Failed: Claim value mismatch: aud=b7c31179-xxx.."
}
更换aud
通过令牌中的值00000003-0000-0000-c000-000000000000
或删除required-claims
in the validate-jwt
使其发挥作用的政策。
有什么想法吗?