Microsoft Graph API令牌验证-API服务器中的签名验证失败

编程问答 2022-06-12

问题描述

在我的应用程序中,我使用了基于Azure AD令牌的用户上下文。

我在招摇中实施了azure ad隐式流程,该流程以正确的方式返回令牌并正常工作。但是我尝试使用基于MSAL或ADAL Js的sharepoint / JQuery / Mobile应用程序来获取令牌。该令牌传入标头。但是,抛出错误IDX10511签名验证失败。

搜索了许多网站。我不知道如何验证Microsoft Graph API令牌。

任何人都知道,请分享您的知识。或其他任何方法来验证Graph API签名。

在我的示例代码

  IList<string> validateAudience = new List<string>() { "00000003-0000-0000-c000-000000000000",$"{clientId1}",$"{clientId}","https://graph.microsoft.com","https://example.sharepoint.com",$"api://{clientId1}/user.read",$"api://{clientId}/user.read",$"api://{clientId}" };
        var MetaDataUrl = $"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}/.well-kNown/openid-configuration";
      
        //OpenIdConnectConfiguration openidconfig = OpenIdConnectConfigurationRetriever.GetAsync(MetaDataUrl,CancellationToken.None).Result;
        var configManager = new ConfigurationManager<OpenIdConnectConfiguration>($"https://sts.windows.net/{TenantId}/.well-kNown/openid-configuration",new OpenIdConnectConfigurationRetriever());
        var openidconfig = configManager.GetConfigurationAsync().Result;

    services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    })
   .AddAzureAd(options =>
    {
        Configuration.Bind("AzureAd",options);
    })
        .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme,_ =>
          {

              _.Audience = Configuration["ClientId"];
              _.Authority = "https://login.microsoftonline.com/{TenantId}/v2.0";
              _.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
              {
                  ValidateAudience = false,ValidAudiences = validateAudience,ValidateIssuer = false,Validissuer = "https://sts.windows.net/{TenantId}/",Validissuers = new List<string>() { "https://login.microsoftonline.com/{TenantId}/v2.0","https://sts.windows.net/{TenantId}/" },ValidateIssuerSigningKey = false,IssuerSigningKeys = openidconfig.SigningKeys,RequireExpirationTime = true,ValidateLifetime = false,RequireSignedTokens = false,};
              _.RequireHttpsMetadata = false;
              _.Events = new JwtBearerEvents
              {
                  OnChallenge = context =>
                  {
                      return Task.CompletedTask;
                  },OnMessageReceived = context =>
                  {
                      return Task.CompletedTask;
                  },OnForbidden = context =>
                  {
                      return Task.CompletedTask;
                  },OnAuthenticationFailed = context =>
                  {
                      return Task.CompletedTask;
                  },OnTokenValidated = context =>
                  {
                      return Task.CompletedTask;
                  }
              };
          });

我已调试了基于MSAL和ADAL JS的应用程序,生成的令牌始终会收到OnAuthenticationFailed事件,并且会引发异常

“ IDX10511:签名验证失败。尝试的密钥:'Microsoft.IdentityModel.Tokens.X509SecurityKey,KeyId:'1E50B4475DAC931359D564309A3385FFAB7FB431',InternalId:'f61f7746-3cff-4557-8b2c-b47fad9cf1e3'564FF4DACFB93B4D3DFAFA3FA4B3DFABFA3FA4B3D5FA4B3D5FA5B4D5FA4B3D5FA4B4B4B&F3D4B4B&F4C&B&B&B; 4E4B&F4B&B&B; 4E5B&D&B&B >

已解析的JWT令牌图像

enter image description here

预先感谢。

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

adal.jsazureazureazureazure-active-directorymicrosoft-graph-apimsal