问题描述
我正在尝试使用客户端证书从azure广告中进行现代身份验证。 该过程说。
- 创建一个Azure应用程序。
- 将证书上传到Azure应用程序并获取指纹。
- 使用该证书(https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials)生成JWT令牌
- 然后使用该jwt-token获取访问令牌。
- 要获取访问令牌,请调用API(https://login.microsoftonline.com/ / oauth2 / token)
- HTTP方法的类型为 POST ,并且帖子正文数据将为 x-www-form-urlencoded
{
"error": "invalid_client","error_description": "AADSTS700023: Client assertion audience claim does not match Realm issuer. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .\r\nTrace ID: 714b5009-b74d-46b5-bd0e-3bea76272a01\r\nCorrelation ID: 2cb703bb-f325-44b5-a669-605bc7a81ac0\r\nTimestamp: 2020-08-28 07:31:19Z","error_codes": [
700023
],"timestamp": "2020-08-28 07:31:19Z","trace_id": "714b5009-b74d-46b5-bd0e-3bea76272a01","correlation_id": "2cb703bb-f325-44b5-a669-605bc7a81ac0"
}
func getAuthJWTToken() (string,error) {
clientID := "**********************"
_tenantName := "******************"
pfxFilePath := `E:\abcd.pfx`
certPassword := `*********`
authToken := ""
pfxFile,err := os.Open(pfxFilePath)
if err != nil {
return authToken,err
}
pfxfileinfo,_ := pfxFile.Stat()
var size int64 = pfxfileinfo.Size()
pfxbytes := make([]byte,size)
buffer := bufio.NewReader(pfxFile)
_,err = buffer.Read(pfxbytes)
//PFX to PEM for computation of signature
var pembytes []byte
blocks,err := pkcs12.ToPEM(pfxbytes,certPassword)
for _,b := range blocks {
pembytes = append(pembytes,pem.EncodetoMemory(b)...)
}
//Decoding the certificate contents from pfxbytes
pk,cert,err := pkcs12.Decode(pfxbytes,certPassword)
if cert == nil {
fmt.Printf("Bye")
return authToken,nil
}
if pk == nil {
}
pfxFile.Close() // close file
nottoBeUsedBefore := time.Now()
expirationTime := time.Now().Add(3000 * time.Minute)
URL := fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/token",_tenantName)
id := guid.New()
claims := &claims{
StandardClaims: jwt.StandardClaims{
// In JWT,the expiry time is expressed as unix milliseconds
ExpiresAt: expirationTime.Unix(),Audience: URL,Issuer: clientID,// consumer key of the connected app,hardcoded
NotBefore: nottoBeUsedBefore.Unix(),Subject: clientID,Id: id.String(),},}
//token_header map[string]interface{}
token := jwt.NewWithClaims(jwt.SigningMethodRS256,claims)
sha1Fingerprint := sha1.Sum(cert.Raw)
var slice []byte
slice = sha1Fingerprint[:]
b64FingerPrint := base64.StdEncoding.EncodetoString([]byte(slice))
token.Header["x5t"] = b64FingerPrint
signKey,err := jwt.ParseRSAPrivateKeyFromPEM(pembytes) // parse the RSA key
tokenString,err := token.SignedString(signKey) // sign the claims with private key
fmt.Printf(fmt.Sprintf("JWT token is %s",tokenString))
return tokenString,err
}
我需要帮助来解决此问题。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)