尝试通过 Azure 函数发送请求时出现 MSI 授权错误

MSI Authorization error when trying to send request via Azure Function

奇怪的解决方案: 第二天,我再次尝试 运行 我的应用程序,没有任何更改(只是怀着好奇的希望),我不再收到错误.我怀疑与我通信的 MSFT API 运行 出了问题。

——

我继承了一个相当大的应用程序,其中有许多移动组件。不幸的是,我也没有得到关于它是如何工作的概述。因此,如果有人可以深入了解我的问题可能是什么,我将不胜感激。

突然间,我开始收到这个错误

One or more errors occurred. (token_type property not found in the response {"ExceptionMessage":"System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()","ErrorCode":"invalid_client","ServiceErrorCodes":["700027"],"InnerException":null,"StatusCode":401,"Message":null,"CorrelationId":"0b7f2697-0425-4b08-9622-d4e81f619968"}) token_type property not found in the response {"ExceptionMessage":"System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()","ErrorCode":"invalid_client","ServiceErrorCodes":["700027"],"InnerException":null,"StatusCode":401,"Message":null,"CorrelationId":"0b7f2697-0425-4b08-9622-d4e81f619968"} 

从这个端点

http://127.0.0.1:41911/MSI/token/?resource=https://management.core.windows.net/&api-version=2017-09-01

我也有一个 Key Vault,它有几个在整个应用程序流程中检索的秘密。

似乎有一些托管服务标识 运行 在某处出现身份验证问题?我试图找到这个 127.0.0.1 来自 运行 的位置,但我无法找到它。如果我有应用程序服务和功能,这个本地 IP 是其中之一吗?

我知道我的问题很模糊,因为我什至不知道去哪里找。我正在寻找一些指导或可能的解决方案。

我 运行 Azure 函数的“诊断”功能似乎导致了问题,我注意到了这一点:

但是,如果这确实是问题所在,我不知道如何解决这个问题。

谢谢。

根据您的描述,您在获取 Azure 管理 API 的令牌时似乎出现了问题。如果您在 Azure 门户上开发您的功能,只需尝试以下代码:

#r "Newtonsoft.Json"

using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
    log.LogInformation("C# HTTP trigger function processed a request.");
    var endpoint = Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
    var identity_header = Environment.GetEnvironmentVariable("IDENTITY_HEADER");
    var resource = "https://management.core.windows.net";
    var requestURL = endpoint + "?resource=" + resource + "&api-version=2019-08-01";

    HttpClient httpClient = new HttpClient();
    httpClient.DefaultRequestHeaders.Add("X-IDENTITY-HEADER", identity_header);
    HttpResponseMessage response = await httpClient.GetAsync(requestURL);
    response.EnsureSuccessStatusCode();
    string responseBody = await response.Content.ReadAsStringAsync();

    return new OkObjectResult(responseBody);
}

结果:

如果您还有其他问题,请告诉我。