kod*_*use 3 oauth-2.0 owin azure-active-directory adal openid-connect
I'm trying to authorization code, and then hopefully a refresh token, with the OWIN OIDC middleware. However, I'm getting this error: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: 'AADSTS50027: Invalid JWT token. AADSTS50027: Invalid JWT token. Token format not valid. Trace ID: 8622dfea-05cd-4080-a52c-ec95a9593800 Correlation ID: 1cf57566-1e02-4856-a4bc-357d5b16ae8a
Note that the authentication part works: I do get the original IdToken back, and the SecurityTokenValidated Notifications event fires. The error above occurs on the "AcquireTokenByAuthorizationCodeAsync" line.
我想做的是将IdentityServer用作Azure AD(上游)和客户端(下游)之间的IdP,当客户端尝试使用下游刷新令牌时,我需要捕获刷新令牌以针对AAD进行验证,因此当AAD用户被锁定或删除时,我不会发出访问令牌。
var authority = "https://login.microsoftonline.com/xxx.onmicrosoft.com/v2.0";
var clientId = "xxx-30f5-47c2-9ddb-b5fcfd583f96";
var redirectUri = "http://localhost:60546/oidcCallback";
var clientSecret = "c8RRB4DCUiXMPEotQh2jm2ArgpYAqUMjGhDRKuuJOxxx";
var oidc = new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
Caption = "OIDC",
ResponseType = OpenIdConnectResponseTypes.CodeIdToken,
RedirectUri = redirectUri,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters() { ValidateIssuer = false },
SignInAsAuthenticationType = signInAsType,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async e =>
{
var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);
var result = await authContext.AcquireTokenByAuthorizationCodeAsync(e.ProtocolMessage.Code, new Uri(redirectUri), new ClientAssertion(clientId, clientSecret));
logger.Info(result.IdToken);
}
}
};
app.UseOpenIdConnectAuthentication(oidc);
谢谢!
我看到的一件事是错误的,您应该使用ClientCredential,而不是ClientAssertion:
var result =
await authContext.AcquireTokenByAuthorizationCodeAsync(
e.ProtocolMessage.Code,
new Uri(redirectUri),
new ClientCredential(clientId, clientSecret));
然后第二件事。您正在使用ADAL,但似乎正在使用v2端点。我认为您在注册了该应用程序apps.dev.microsoft.com?
在这种情况下,您应该使用MSAL(https://www.nuget.org/packages/Microsoft.Identity.Client)。
MSAL的API有所不同,您使用ConfidentialClientApplication而不是AuthenticationContext(在这种情况下)称为的类。这是一个示例应用程序的片段:
var cca = new ConfidentialClientApplication(clientId, redirectUri, new ClientCredential(appKey), userTokenCache, null);
string[] scopes = { "Mail.Read" };
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
示例应用程序:https : //github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-v2
| 归档时间: |
|
| 查看次数: |
2080 次 |
| 最近记录: |