当我尝试使用 Cortana Bot 用户令牌(这是一个图形令牌)为另一个使用 Web API 应用程序生成“代表”令牌时,出现错误(如下所述)ClientAssertionCertificate / ClientCredential通过传递其目标到另一个消费 Web APIAppId as ResourceId and userAssertion使用 Cortana Bot 用户令牌生成。
检查我们的 Bot AAD 设置时,它已配置其他消费 Web API (API B) 作为有效应用程序以及图形应用程序。我们是否需要在AAD中进行任何额外的设置才能获得这个代币?
AADSTS50013: Assertion contains an invalid signature.
[Reason - The provided signature value did not match the expected signature value.,
Thumbprint of key used by client: '9DB0B05B5D70DD7901FB151A5F029148B8CC1C64',
Found key 'Start=11/11/2018 00:00:00,
End=11/11/2020 00:00:00'
]
Trace ID: a440869f-b8f5-4d87-ba1a-6bd8dd7ba200
Correlation ID: 651e1fa8-2069-4489-a687-e68e5206e193
Timestamp: 2019-01-02 07:14:45Z
以下是我们如何尝试为其他消费 Web API (API B) 获取代表令牌的流程和示例代码。
流程步骤:
以下是用于从 Microsoft Bot Framework API 生成代表令牌的代码示例:
public async Task<string> GetOnBehalfOfTokenAsync(string authority, string resource, string scope = "", string token = "")
{
AuthenticationResult output;
var clientId = ConfigurationManager.AppSettings["API-B-ClientId"];
// Read certificate which can be used for getting token to API B using ClientAssertionCertificate
// GetCert() is used to get the Certificate based on Thumbprint configured in Web.config file.
var certificate = this.GetCert();
// 'authority' is https://login.microsoftonline.com/{tenant id}
var authContext = new AuthenticationContext(authority);
var cllientCertificateCredential = new ClientAssertionCertificate(clientId, certificate);
// 'token' is the user token which was received from Cortana.
var userAssertion = (!string.IsNullOrWhiteSpace(token)) ?
new UserAssertion(token, "urn:ietf:params:oauth:grant-type:jwt-bearer",
TokenHelper.ExtractUserInfoFromAuthToken(token, "upn")) : null;
try
{
// 'resource' is the Resource Id of API B
// if UserAssertion is null then get token with ClientAssertionCertificate else get
// on-behalf-of token using UserAssertion and ClientAssertionCertificate
if (userAssertion == null)
{
output = await authContext
.AcquireTokenAsync(resource, cllientCertificateCredential)
.ConfigureAwait(false);
}
else
{
output = await authContext
.AcquireTokenAsync(resource, cllientCertificateCredential, userAssertion)
.ConfigureAwait(false);
}
}
catch (Exception ex)
{
logger.log("Error acquiring the AAD authentication token", ex);
}
return output.AccessToken;
}
在此步骤中获取上面提到的异常:
output = await authContext
.AcquireTokenAsync(resource, cllientCertificateCredential, userAssertion)
.ConfigureAwait(false);
我的理解是:首先从 Cortana 访问 ms graph API 获取用户令牌;然后您想使用用户令牌在 Microsoft Bot Framework API 中生成 OBO 令牌;最后,您想要使用 OBO 令牌从 Microsoft Bot Framework API 访问 API B。
你想在Microsoft Bot Framework API中获取OBO令牌,你应该使用API id和秘密,为此,我从未尝试过。
在我这边,我使用 v1 端点,创建两个 API(API A 和 B),我的流程是: 首先,我的应用程序为 API A 请求 token1;
Next, use the token1 to request OBO token2 for API B from API A;
最后,使用 OBO token2 向 API B 请求 Aad graph API 的 OBO token3。
对于 v1 端点中的 OBO,请阅读link1 https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow.
对于 v2 端点中的 OBO,请阅读link2 https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow.