更新时间:2023-12-03 15:08:28
POST > http://login.microsoftonline.com/ {CLIENTID} / oauth2 / token
首先,获取令牌时令牌点不正确,我们应该使用 tenantId
而不是 clientId
。
要解决此问题,建议您解码此站点,以查看令牌中的 aud
声明是否与受众$ c>您可以在Web API项目中进行配置。
Ive created a .NET core web app which is using Azure AD for the identity. This is all working fine as expected and anything I decorate using [Authroize] is protected.
I am now wanting to secure one of my API controllers to be accessible from an external service.
I followed this tutorial which explains service-service authentication.
Service to service auth with Azure AD
Using this I have managed to request a token
POST https://login.microsoftonline.com/{TENANTID}/oauth2/token
grant_type=client_credentials
&client_id={CLIENTID}
&client_secret={CLIENTSECRET}
&resource=https%3A%2F%mydirectory.onmicrosoft.com/myappname
Running this with postman, I get the Bearer access_token so looks good.
Now if I call my web app in Postman with this bearer token on the header,
GET https://localhost:44392/api/booking
Authorization Bearer {access_token}
I get a HTML response from one the Microsoft dialogues. So it seems it is just going into the redirect loop, so I am now confused on whether I have a configuration problem in the token request, or whether my web app needs to be setup in a different way. The article here mentions something about permissions in the manifest file, but I am confused why this would be necessary?
Some additional points
Any assistance appreciated!
I managed to try the Daemon .NET 4.5 app and this worked flawlessly using the UseWindowsAzureActiveDirectoryBearerToken
Daemon Service to service auth on .NET 4.5
However in my .NET Core app, this middleware isn't available so I tried using JwtBearer middleware but I still get the login prompt.
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Audience = "https://localhost:44392",
Authority = "https://login.microsoftonline.com/{TENANTNAME}.onmicrosoft.com"
});
As you can see, I have only set 2 properties in the BearerOptions but I believe they should have been enough to [Authorize] my API endpoint.
POST https://login.microsoftonline.com/{CLIENTID}/oauth2/token
First the token point is incorrect when you acquire the token, we should use tenantId
instead of clientId
.
And to troubleshoot this issue, I suggest that you decode the access_token from this site to see whether the aud
claim in the token is same as Audience
you config in the web API project.