客户端应用程序正在从 Microsoft 获取 JWT 并将其发送到我的 API。它工作正常,但我的 API 如何知道令牌是否真的来自 Microsaft 以及它是否有效?
客户端获取令牌的方式如下:
string ClientID = "xxx";
string TenantID = "yyy";
IPublicClientApplication pca = PublicClientApplicationBuilder
.Create(ClientID)
.WithAuthority(AzureCloudInstance.AzurePublic, TenantID)
.WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
.Build();
string[] scopes = { "user.read" };
AuthenticationResult result = await pca.AcquireTokenInteractive(scopes).ExecuteAsync();
string JWT = result.AccessToken;
答案 0 :(得分:3)
在 API 项目中,您可以安装 Microsoft.Identity.Web 包。 然后在Startup.cs中添加以下代码
services
.AddAuthentication()
.AddMicrosoftIdentityWebApi(options => { }, options =>
{
options.ClientId = "Your Azure AD ClientId";
options.TenantId = "Your Azure AD TenantId";
options.Instance = "https://login.microsoftonline.com/";
});
要手动完成,请尝试类似
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
var clientSecret = "";
var clientId = "";
var tenantId = "";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = clientId,
ValidIssuer = $"https://sts.windows.net/{tenantId}/",
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(clientSecret)),
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ValidateAudience = true,
ClockSkew = TimeSpan.Zero
};
});