我们在Azure中有一个ASP.NET Core Web API,它具有支持Azure AD和Azure AD AD的端点,
我想使用定时触发器创建一个新的Azure函数,该触发器将调用同一Web API。调用显然不是在用户的上下文中,而是在函数应用程序的上下文中。
AF是AzureFunctionsVersion“ V3”,带有“ NetCoreApp3.1”的TargetFrameWork,
我已将应用程序角色添加到现有Web API
然后我请求访问该API来自Azure函数“ API权限” azure Portal中的“ API权限”叶片
我删除了真实的值
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet",
"AzureAd:Instance": "https://login.microsoftonline.com/",
"AzureAd:Domain": "ourdomain.co.uk",
"AzureAd:TenantId": "aaaaaaaa-92eb-430b-b902-aaaaaaaaaaaa",
"AzureAd:ClientId": "aaaaaaaa-bd17-4e69-bdf6-aaaaaaaaaaaa",
"AzureAd:Audience": "https://ourdomain.co.uk/appid,
"AzureAd:ClientSecret": "THESECRET",
"PatientApi:BaseAddress": "https://myapi.com/api/",
"PatientApi:Scopes": "https://my-api-appiduri/.default"
},
}
getAccessTokenForappAsync来尝试获得azure函数的令牌
var accessToken = await this.tokenAcquisition.GetAccessTokenForAppAsync(this.patientScope);
this.httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
this.httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
,然后尝试通过调用
Microsoft.Identity.Client.MSALSERVICEEXCEPTION:'配置问题
在防止身份验证 - 检查服务器的错误消息
有关详细信息。您可以修改应用程序中的配置
注册门户。参见 https://aka.mss/msal-net-net-net-inet-invalid-client
细节。原始例外:AADSTS7000215:无效的客户秘密
假如。确保在请求中发送的秘密是客户
秘密价值,而不是客户的秘密ID,用于添加到应用程序中的秘密
'{clientid_for_azurefunction}'。
这是Azuread配置并将GetAccessTokenForapPasync称为正确的方法吗?
We have an exisiting ASP.NET Core Web Api in Azure that has endpoints that support Azure AD and Azure AD secured users
I want to create a new Azure Function with a Timed trigger that will call this same Web Api. The call will obviously not be in the context of a user but in the context of the Function App.
The AF is AzureFunctionsVersion "v3" with a TargetFramework of "netcoreapp3.1"
I have added an App Role to the App registration for the existing Web API
I have then requested access to the that API from the Azure Functions "Api Permissions" blade in Azure Portal
I am only running this Azure Function locally as yet so here are the values from local.settings.json. I've removed the real values
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet",
"AzureAd:Instance": "https://login.microsoftonline.com/",
"AzureAd:Domain": "ourdomain.co.uk",
"AzureAd:TenantId": "aaaaaaaa-92eb-430b-b902-aaaaaaaaaaaa",
"AzureAd:ClientId": "aaaaaaaa-bd17-4e69-bdf6-aaaaaaaaaaaa",
"AzureAd:Audience": "https://ourdomain.co.uk/appid,
"AzureAd:ClientSecret": "THESECRET",
"PatientApi:BaseAddress": "https://myapi.com/api/",
"PatientApi:Scopes": "https://my-api-appiduri/.default"
},
}
I then try an get a token for the Azure Function by calling GetAccessTokenForAppAsync
var accessToken = await this.tokenAcquisition.GetAccessTokenForAppAsync(this.patientScope);
this.httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
this.httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
When I call GetAccessTokenForAppAsync I get the following Exception
Microsoft.Identity.Client.MsalServiceException: 'A configuration issue
is preventing authentication - check the error message from the server
for details. You can modify the configuration in the application
registration portal. See https://aka.ms/msal-net-invalid-client for
details. Original exception: AADSTS7000215: Invalid client secret
provided. Ensure the secret being sent in the request is the client
secret value, not the client secret ID, for a secret added to app
'{CLIENTID_FOR_AZUREFUNCTION}'.
Is this AzureAd config and calling GetAccessTokenForAppAsync the right approach?
发布评论
评论(2)
tl; dr
虽然我已经正确配置了我在某个时候选择的azuread值,以便在vs IDE中“管理用户秘密”。这创建了一个不同的客户端设备,并且在local.settings.json中覆盖了正确的值。
多亏了这个GitHub问题并发表了MSAL团队的评论,
TL;DR
Whilst I had correctly configured the AzureAd values I must at some point have chosen to "Manage User Secrets" in the VS IDE. That had created a different ClientSecret and that was overriding the correct value in local.settings.json.
Thanks to this GitHub issue and comment from the MSAL team, https://github.com/AzureAD/microsoft-identity-web/issues/379#issuecomment-666526566
在使用
getAccessTokenForapPasync时,您仅通过了范围。但是
getAccessTokenForapPasync需要多个参数,例如租户,AuthenticationsCheme,TokenAcquisitionOptions等。这可能是
的原因是配置问题是防止身份验证您所说的错误。请参阅以下 ON
getAccessTokenForapPasync以及您需要传递的参数的详细说明。您还可以引用以下文档使用Microsoft身份验证库获取Azure AD令牌。
While using the
GetAccessTokenForAppAsyncyou have only passed the scope.But
GetAccessTokenForAppAsyncrequire multiple parameters such as tenant, authenticationscheme , tokenAcquisitionOptions, etc .That might be the reason for the
A configuration issue is preventing authenticationerror stated by you .Refer the following documentation on
GetAccessTokenForAppAsyncand the detail description on the parameters you need to pass.You can also refer the following documentation to get Azure AD tokens by using the Microsoft Authentication Library.