UseJwtBearerAuthentication失敗：未經授權的令牌和簽名無效

Question

我有一個web api服務和一個web客戶端應用程序來訪問web api。兩者都在azure活動目錄中註冊。 然而，當web客戶端應用程序試圖訪問網絡的API，我得到：

ReasonPhrase: 'Unauthorized' 
WWW-Authenticate: Bearer error=\"invalid_token\", error_description=\"The signature is invalid 

然後我檢查了令牌上https://jwt.io/，它確實顯示爲「無效簽名」。但是，我不知道這裏有什麼問題。

這是我如何檢索到的令牌：

string authority = "https://login.windows.net/tenantid-log-number/oauth2/token"; 
string clientID = "83adf895-681a-4dd6-9dfb-2a1484dd4188"; 

string resourceUri = "https://tenant.onmicrosoft.com/webapiservice"; 
string appKey = "anJxg3N/5dqiHKx+4zwzFB9A6dN5HdqSitdSOpxzVd="; 

ClientCredential clientCredential = new ClientCredential(clientID, appKey); 

AuthenticationContext ac = new AuthenticationContext(authority); 
Task<AuthenticationResult> authResult = ac.AcquireTokenAsync(resourceUri, clientCredential); 
return authResult.Result.AccessToken; 

這是我如何訪問Web API服務：

HttpClient client = new HttpClient(); 
client.BaseAddress = new Uri("http://webapiservice.azurewebsites.net/"); 
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token); 

HttpResponseMessage response = client.GetAsync("api/values").Result; 

這裏是網頁API服務如何驗證訪問：

app.UseJwtBearerAuthentication(new JwtBearerOptions 
{ 
    AutomaticAuthenticate = true, 
    AutomaticChallenge = true, 

    TokenValidationParameters = new TokenValidationParameters 
    { 
      ValidateAudience = true, 
      ValidAudience = "https://tenant.onmicrosoft.com/webapiservice", 
     } 
    }); 

這裏有什麼問題嗎？

感謝

Answer 1

根據您的配置和代碼片段，它看起來像你想安裝使用Azure的AD V1端點對.NET核心一個Web API。

對於.NET的核心使用Azure的AD V1終點，你應該使用UseJwtBearerAuthentication如下：

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) 
{ 
    // ... 
    // Other stuff 
    // ... 

    app.UseJwtBearerAuthentication(
     new JwtBearerOptions 
     { 
      Authority = string.Format("https://login.microsoftonline.com/{0}/", 
       Tenant), 
      Audience = ClientId 
     }); 
} 

---

供參考，在這裏是可以使用的一些其它設置：

對於使用Azure AD v1端點的.Net，您應該使用UseWindowsAzureActiveDirectoryBearerAuthentication

下面是來自官方.NET Web API sample片段，樣品，展示如何此設置：使用Azure的廣告V2終點，你應該使用UseOAuthBearerAuthentication如下

public void ConfigureAuth(IAppBuilder app) 
{ 
    app.UseWindowsAzureActiveDirectoryBearerAuthentication(
     new WindowsAzureActiveDirectoryBearerAuthenticationOptions 
     { 
      Audience = ClientId, 
      Tenant = Tenant 
     }); 
} 

對於.NET：

public void ConfigureAuth(IAppBuilder app) 
{ 
    TokenValidationParameters tvps = new TokenValidationParameters 
    { 
     // Accept only those tokens where the audience of the token is equal to the client ID of this app 
     ValidAudience = ClientId 
    }; 

    app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions 
    { 
     // This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint 
     AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(String.Format("https://login.microsoftonline.com/{0}", Tenant))) 
    }); 
} 

對於.NET的核心使用Azure的廣告V2終點，你應該使用UseJwtBearerAuthentication如下：

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) 
{ 
    // ... 
    // Other stuff 
    // ... 

    app.UseJwtBearerAuthentication(
     new JwtBearerOptions 
     { 
      Authority = string.Format("https://login.microsoftonline.com/{0}/v2.0/", 
       Tenant), 
      Audience = ClientId 
     }); 
}