All geek questions in one place

401 when authenticating to the Azure API App using AAD

I have an API application that works great with the Gateway host, and now that the host gateway is out of date, I'm trying to follow the Migration Guide . I redistributed my service using the 2.8.1 SDK and can log in to the service using a browser using AAD or a Microsoft account and use Swagger to test the service. However, I am trying to get the client to access the service using ClientId and Secret. The code can get an access token from AAD, but I always get a 401 error whenever I try to access one of the service resources.

When I debug a service, I see the following in the log:

Microsoft.Azure.AppService.Authentication Verbose: 0 : Received request: GET https://[myService].azurewebsites.net/api/[myResource] Microsoft.Azure.AppService.Authentication Warning: 0 : JWT validation failed: IDX10214: Audience validation failed. Audiences: 'https://[myService].azurewebsites.net/'. Did not match: validationParameters.ValidAudience: '[AAD ClientId]' or validationParameters.ValidAudiences: 'http://[myService].azurewebsites.net'. Microsoft.Azure.AppService.Authentication Information: 0 : Sending response: 401.71 Unauthorized The thread 0x3b00 has exited with code 0 (0x0).

It seems that the problem is that the audience submitted with the request is https, but the validParameters.ValidAudiences collection contains only http.

I don't see any way to set up Audience, and it looks like an http-based audience is setting up when Visual Studio 2015 creates the App service. Is there a way to manually edit the ValidAudience collection?

For reference, my client code is:

  private static void Main(string[] args) { string app_id_url = "https://[myService].azurewebsites.net/"; string authority = "https://login.windows.net/[myDirectory].onmicrosoft.com/"; string clientId = "[AAD ClientId]"; string clientSecret = "[AAD Client Secret]"; string apiBaseUrl = "https://[myService].azurewebsites.net/"; string aadToken = GetTokenForApplication(authority, clientId, clientSecret, app_id_url); var apiClient = new HttpClient { BaseAddress = new Uri(apiBaseUrl) }; apiClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", aadToken); var apiResponse = apiClient.GetAsync(apiBaseUrl + @"api/[myResource]").Result; string apiResponseContent = apiResponse.Content.ReadAsStringAsync().Result; Console.WriteLine(apiResponseContent); } public static string GetTokenForApplication(string authority, string clientId, string clientSecret, string resourceUrl) { AuthenticationContext authenticationContext = new AuthenticationContext(authority, false); ClientCredential clientCred = new ClientCredential(clientId, clientSecret); AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resourceUrl, clientCred); string token = authenticationResult.AccessToken; return token; }
+5
source share
2 answers

Your problem is with a valid audience. You can have 2 options:

Option 1. Try to get the token with the WebAPI client identifier as an AcquireToken method resource parameter, not its Uri.

Option 2: If the previous method did not work, you need to change the authentication settings of the App Service API using Azure Resources Explorer . Go to your web API, find the authSettings JSON document under the config node and change (after changing the read / write mode) the allowedAudiences array to suit your needs. In your case, you may need to change http to https

+7
source

In my ASP.NET 4.5 web application, I found that I needed to specify valid audiences to avoid runtime exception.

 public partial class Startup { private static string _aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"]; private static string _tenant = ConfigurationManager.AppSettings["ida:Tenant"]; private static string _realm = ConfigurationManager.AppSettings["ida:Wtrealm"]; private static string _metadataAddress = string.Format("{0}/{1}/federationmetadata/2007-06/federationmetadata.xml", _aadInstance, _tenant); private static string _authority = String.Format(CultureInfo.InvariantCulture, _aadInstance, _tenant); public void ConfigureAuth(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseWsFederationAuthentication( new WsFederationAuthenticationOptions { Wtrealm = _realm, MetadataAddress = _metadataAddress, TokenValidationParameters = new TokenValidationParameters { ValidAudiences = new string[] { "spn:" + _realm } } } ); } }
0
source

Source: https://habr.com/ru/post/1238408/

More articles:


All Articles