当前位置: 文江博客话题详情

试图在Azure函数中对Azure AD进行身份验证返回401,“ IDX10516:签名验证失败。”

发布于 2025-01-27 01:10:45 字数 4561 浏览 7 评论 0原文

我正在尝试使用Azure函数Web API和连接到Azure AD的基于React的水疗中心来构建SSO原型。目的是使用“易于auth”(又称Azure函数集成身份验证)作为我在Azure函数上的身份验证( https://learn.microsoft.com/en-us/ap/aps/app-service/overview-authentication-authorization-authorization-authorization )以microsoft身份平台作为我的提供商。

首先,我使用以下教程创建了一个React Spa: https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-react 这似乎可以很好地验证,我能够消耗示例图API调用。

但是,一旦我尝试将Azure功能添加到混合物中,我就会遇到问题。我使用了“客户指导的登录”的帖子呼叫( https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-customize-customize-customize-sign-sign-in-in-in-indunpunt - 指导 - 签名)提交我的访问令牌,但失败了。

我在页面中创建了一个新按钮,该按钮调用以下函数:

export async function callExampleService(idToken, accessToken) {
    const headers = new Headers();

    headers.append("Content-Type", "application/json");

    const options = {
        method: 'POST',
        headers: headers,
        body: JSON.stringify({ access_token: `${accessToken}` })
    };

    return fetch(exampleDataServiceConfig.exampleDataServiceBase.concat(exampleDataServiceConfig.postAuth), options)
        .then(response => response.json())
        .catch(error => console.log(error));
}

从提琴手的响应中判断,看来该调用与预期的帖子匹配:

POST https://<function-name>/.auth/login/aad HTTP/1.1
Host: func-dotnetssoprototype-dev-westus2-001.azurewebsites.net
Connection: keep-alive
Content-Length: 1942
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Microsoft Edge";v="101"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32
sec-ch-ua-platform: "Windows"
content-type: application/json
Accept: */*
Origin: http://localhost:3000
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

{"access_token":"<valid JWT token from client app auth, tested on jwt.io>"}

但是返回了以下错误:

HTTP/1.1 401 Unauthorized
Content-Type: application/json
Vary: Origin
Server: Kestrel
WWW-Authenticate: Bearer realm="<function-name>.azurewebsites.net"
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:3000
Request-Context: appId=cid-v1:5c2eaf04-be8a-4b4d-baca-bd047b53cfb0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Thu, 05 May 2022 00:03:00 GMT
Content-Length: 716

{"code":401,"message":"IDX10516: Signature validation failed. Unable to match key: \nkid: '[PII of type 'System.String' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. \nNumber of keys in TokenValidationParameters: '0'. \nNumber of keys in Configuration: '6'. \nExceptions caught:\n '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. \ntoken: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. Valid Lifetime: 'True'. Valid Issuer: '[PII of type 'System.Boolean' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'"}

应注意,React Client App和Azure既要注意功能都使用相同的注册应用程序凭据进行身份验证。我还没有找到有关这是正确的练习还是两个都需要单独的注册应用程序的详细信息。

以下是一些相关的信息来缩小问题的范围:

  • http:// localhost:3000位于功能中。
  • http:// localhost:3000在应用程序注册的“单页应用程序”平台配置的重定向URI中。
  • https://.azurewebsites.net/.auth/login/aad/callback在App注册的“ Web”平台condict的重定向URIS中。
  • 只是Azure函数的实际名称的占位符,以防您认为我实际上将其用于变量中的名称。 ;)
  • 两个“访问令牌”和“ id dokens”均未在“隐式赠款和混合流”中检查,因为我们使用MSAL.JS 2.0

,因为AUTH是在黑匣子容器中完成的,我不确定什么我可以采取的步骤在此问题上获取详细信息。我有以下问题:

  1. 是否有一种方法可以将PII“放置”在功能上?我在错误中看到了链接,并引用了添加“ IndentityModeleventsource.showpii = true;”的链接。对于代码,但是此源不在Azure软件包中,我认为这是Auth容器中的错误。
  2. 是什么可能导致此失败的签名验证/如何解决此问题?我在JWT和众所周知的配置中查看了“孩子”。它存在于返回的清单中。

任何帮助将不胜感激。

原文

I'm attempting to build an SSO prototype using an Azure Function web API and a react-based SPA connected to Azure AD. The goal is to use "Easy Auth" (aka Azure Function integrated authentication) for my authentication on the Azure Function (https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization) with Microsoft Identity Platform as my provider.

First off, I created a React SPA using the following tutorial: https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-react
This seemed to authenticate just fine and I was able to consume the sample Graph API call.

However, once I attempted to then add the Azure Function to the mix, I ran into a problem. I used the POST call for "Client-directed sign-in" (https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out#client-directed-sign-in) to submit my access token, but it failed.

I created a new button in the page that calls the following function:

export async function callExampleService(idToken, accessToken) {
    const headers = new Headers();

    headers.append("Content-Type", "application/json");

    const options = {
        method: 'POST',
        headers: headers,
        body: JSON.stringify({ access_token: `${accessToken}` })
    };

    return fetch(exampleDataServiceConfig.exampleDataServiceBase.concat(exampleDataServiceConfig.postAuth), options)
        .then(response => response.json())
        .catch(error => console.log(error));
}

Judging from the Fiddler response, it looks as though the call matched the expected POST:

POST https://<function-name>/.auth/login/aad HTTP/1.1
Host: func-dotnetssoprototype-dev-westus2-001.azurewebsites.net
Connection: keep-alive
Content-Length: 1942
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Microsoft Edge";v="101"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32
sec-ch-ua-platform: "Windows"
content-type: application/json
Accept: */*
Origin: http://localhost:3000
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

{"access_token":"<valid JWT token from client app auth, tested on jwt.io>"}

But returned the following error:

HTTP/1.1 401 Unauthorized
Content-Type: application/json
Vary: Origin
Server: Kestrel
WWW-Authenticate: Bearer realm="<function-name>.azurewebsites.net"
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:3000
Request-Context: appId=cid-v1:5c2eaf04-be8a-4b4d-baca-bd047b53cfb0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Thu, 05 May 2022 00:03:00 GMT
Content-Length: 716

{"code":401,"message":"IDX10516: Signature validation failed. Unable to match key: \nkid: '[PII of type 'System.String' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. \nNumber of keys in TokenValidationParameters: '0'. \nNumber of keys in Configuration: '6'. \nExceptions caught:\n '[PII of type 'System.Text.StringBuilder' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. \ntoken: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'. Valid Lifetime: 'True'. Valid Issuer: '[PII of type 'System.Boolean' is hidden. For more details, see https:\/\/aka.ms\/IdentityModel\/PII.]'"}

It should be noted that both the react client app and the azure function are both using the same Registered App credentials for authentication. I haven't found any details about whether that is the correct practice or that both need separate Registered Apps.

Here are a few related pieces of info to narrow down the problem:

  • http://localhost:3000 is in the CORS for the function.
  • http://localhost:3000 is in the Redirect URIs for the "Single Page Application" platform config of the app registration.
  • https://.azurewebsites.net/.auth/login/aad/callback is in the Redirect URIs for the "Web" platform confict of the app registration.
  • is just the placeholder for the actual name of the azure function, in case you think I actually used that for the name in the variables. ;)
  • Both "Access tokens" and "ID tokens" are not checked in the "Implicit grant and hybrid flows" since we're using msal.js 2.0

Since the auth is done in a black box container, I'm not sure what steps I can take to get specifics on this issue. I have the following questions:

  1. Is there a way to "un-hide" the PII on the function? I saw the link in the error and it references adding "IdentityModelEventSource.ShowPII = true;" to the code, but this source isn't in the Azure packages and I think it's an error from the auth container.
  2. What could be causing this failed signature validation/how I can I fix this issue? I looked at the "kid" in the JWT and at the well known config. It exists in the returned manifest.

Any help would be appreciated.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

憧憬巴黎街头的黎明 2025-02-03 01:10:45

当我缩小范围后,问题很简单。

问题是我使用访问权限来验证而不是iDtoken。 JSON属性被称为“ Access_token”的事实是错误的。

代码更改是:

body: JSON.stringify({ access_token: `${idToken}` })

The issue was pretty simple after I narrowed it down.

The problem was that I was using the accessToken to authenticate instead of the idToken. The fact that the json property was called "access_token" was a misnomer.

The code change is:

body: JSON.stringify({ access_token: `${idToken}` })
回复 原文
~没有更多了~

关于作者

顾挽

暂无简介

文章
评论
761 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

达拉崩吧

文章 0 评论 0

PANGOO

文章 0 评论 0

kkgtx

文章 0 评论 0

WordPress小学生

文章 0 评论 0

酷炫老祖宗

文章 0 评论 0

硪扪都還晓

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文