1. 首頁
  2. 問答
  3. azure acive目錄驗證錯誤

azure acive目錄驗證錯誤

2017-09-25 48 views
0

我有一個天藍色的web應用程序的問題。我使用Active Directory來控制訪問效果很好,但我的用戶之一變,當他們在azure acive目錄驗證錯誤

idx10214觀衆驗證登錄此錯誤消息失敗不匹配validationparameters.validaudience或validationparameters空

沒有人知道這是什麼意味着?有沒有解決方法?

繼承人如何設置openid來授權用戶,我如何在這裏包含觀衆設置?受衆的價值應該是什麼?

app.UseOpenIdConnectAuthentication(
      new OpenIdConnectAuthenticationOptions 
      { 
       ClientId = clientId, 
       Authority = AuthorityCHP, 
       PostLogoutRedirectUri = postLogoutRedirectUri, 
       RedirectUri = loURL, 
       Notifications = new OpenIdConnectAuthenticationNotifications() 
       { 
        // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away. 
        AuthorizationCodeReceived = (context) => 
        { 
         var code = context.Code; 
         Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential credential = new Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential(clientId, appKey); 
         string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value; 
         Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(AuthorityCHP, new ADALTokenCache(signedInUserID)); 
         var newuri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)); 
         Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, newuri, credential, graphResourceId); 
         return Task.FromResult(0); 
        } 
       } 
      });

伊夫加入,希望它可能工作一些額外的代碼,但在我部署它,我得到了用戶affecetd再次嘗試登錄其仍然是相同的。我不消費webapi它只是一個標準的登錄頁面的直接web應用程序,我真的難住,爲什麼只有一個特定的用戶受此影響? anynoe可以幫助嗎?

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
     new WindowsAzureActiveDirectoryBearerAuthenticationOptions 
     { 
      TokenValidationParameters = new TokenValidationParameters 
      { 
       ValidAudience = clientId 
      }, 
      Tenant = tenantId, 
      AuthenticationType = "OAuth2Bearer" 
     });

來源

2017-09-25 proteus

回答

0

這意味着您使用不正確的標記調用API。當我們調用受Azure AD保護的Web API時,它將驗證令牌中的令牌和聲明的簽名。

audience用於令牌能夠訪問的資源。我們應該根據資源獲取令牌。例如,如果我們使用下面的代碼保護Web API,我們應該使用下面的配置中的獲取令牌。

public void ConfigureAuth(IAppBuilder app) 
{ 
    app.UseWindowsAzureActiveDirectoryBearerAuthentication(
     new WindowsAzureActiveDirectoryBearerAuthenticationOptions 
     { 
      Audience = ConfigurationManager.AppSettings["ida:Audience"], 
      Tenant = ConfigurationManager.AppSettings["ida:Tenant"], 
     }); 

    //app.UsePasswordAuthentication(); 
}

更新

TokenValidationParameters = new TokenValidationParameters 
{ 
    ValidateIssuer = false, 
    // In a real application you would use IssuerValidator for additional checks, like making sure the user's organization has signed up for your app. 
    //  IssuerValidator = (issuer, token, tvp) => 
    //  { 
    //  //if(MyCustomTenantValidation(issuer)) 
    //  return issuer; 
    //  //else 
    //  // throw new SecurityTokenInvalidIssuerException("Invalid issuer"); 
    // }, 
},

來源

2017-09-25 08:35:56

+0

香港專業教育學院更新了我的問題,包括開放ID碼 – proteus

+0

什麼'graphResourceId'的價值?您請求了哪個API以及它是如何被保護的? –

+0

https://graph.windows.net biu – proteus

相關問題

 相關問題