AADSTS50013:断言签名验证失败。 [原因 - 未找到密钥。,客户端使用的密钥指纹:'xxxx'

AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Thumbprint of key used by client: 'xxxx'

我有三个应用程序参与 AzureAD OBO 流程:

  1. Angular 前端 --> 在 AzureAD 中注册为 OIDC 应用程序

  2. ASP.NET Core Web API --> 在 AzureAD 中注册为 SAML 应用

  3. NAV OData 服务 --> 在 AzureAD 中注册为 SAML 应用程序

完整流程如下:

  1. Angular 前端应用程序将用户登录到 Azure AD 并请求 Web API 1 的委派访问令牌(ASP.NET Core Web API )

  2. 客户端应用程序然后使用颁发的访问令牌调用 Web API1

  3. Web API 1 又需要调用下游 Web API 2 (NAV OData Services) 因此它使用其访问令牌(在上面的步骤 2 中)来请求Web API 2 的访问令牌。在此步骤中发生的是 Web API 1 使用 OBO 流将其访问令牌交换为另一个资源的访问令牌。交换的令牌仍然代表原始登录用户颁发,并且它具有委托权限。

  4. Web API 1 使用新的访问令牌调用 Web API 2

在上面的步骤 3 中出现错误。

错误详细信息:

 One or more errors occurred. (AADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Thumbprint of key used by client: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx']
    Trace ID: afc20e5e-ebea-4546-af4b-820f48083e01
    Correlation ID: b5d8d7b5-52d1-430d-af81-d34918970831
    Timestamp: 2021-05-03 11:35:25Z)

任何人都可以通过提供解决此问题的指导来帮助我吗?

在这种情况下Angular Front 正在使用隐式流。

https://login.microsoftonline.com/<TenantId>/oauth2/v2.0/authorize?response_type=token&scope=api://xxxx--<WEB API 1>.default%20openid%20profile&client_id=<Application (client) ID>&redirect_uri=<ApplicationURL>&state=xxxx&nonce=yyyy&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=msal&login_hint=mytestaccount@mydomain.com&client-request-id=yyyyyy&prompt=none&response_mode=fragment

这是收到的id_token:

{
  "aud": "<Application (client) ID>",
  "iss": "https://login.microsoftonline.com/<tenantid>/v2.0",
  "iat": 1620380572,
  "nbf": 1620380572,
  "exp": 1620384472,
  "aio": "AWQAm/8TAAAAIVowa1CNNUEB/tB/OcgatUBo9SzDJch09USynyiE+S+be6xkV9TczjRol4Td0czWrdsrzoqDBHUQxbAcnPT90InTNwLfYeHon5Vvk6eFsn2omrgpYlCj90QIXtIoduhd",
  "email": "mytestaccount@mydomain.com",
  "name": "mytestaccount, mytestaccount",
  "nonce": "078bca2a-35ef-457d-96d8-92db7ac3d106",
  "oid": "96035811-49f6-4246-923f-4edba4555e14",
  "preferred_username": "mytestaccount@mydomain.com",
  "rh": "0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",
  "sub": "BAc2RwnOjKjv8vxtS0zOSQ0kgQ74zEvWJDmWnMoWdyM",
  "tid": "36da45f1-dd2c-4d1f-af13-5abe46b99921",
  "uti": "8r7u-zYcr0GSNUdl4STUAQ",
  "ver": "2.0"
}

访问WEB的访问令牌API1:

{
  "aud": "api://xxxx--<WEB API 1>",
  "iss": "https://sts.windows.net/36da45f1-dd2c-4d1f-af13-5abe46b99921/",
  "iat": 1620380574,
  "nbf": 1620380574,
  "exp": 1620384474,
  "acr": "1",
  "aio": "AVQAq/8TAAAAoi/awR8N8P1eapXNZfcGKhsy9uKyL6qv77raeIKYLOyZjXtsVKXMELCu+qZvKJtSaYm/nemvyUPc2OvJiPrvwpwrteqSU1iYM5C4xfPTxHo=",
  "amr": [
    "pwd",
    "rsa",
    "mfa"
  ],
  "appid": "<Application (client) ID>",
  "appidacr": "0",
  "deviceid": "b55e39a3-f492-4679-83e2-53fcd024beba",
  "email": "mytestaccount@mydomain.com",
  "family_name": "mytestaccount",
  "given_name": "mytestaccount",
  "ipaddr": "xx.xx.xx.xx",
  "name": "mytestaccount, mytestaccount",
  "oid": "96035811-49f6-4246-923f-4edba4555e14",
  "onprem_sid": "S-1-5-21-238447276-1040861923-1850952788-976396",
  "rh": "0.ASYA8UXaNizdH02vE1q-RrmZIYsBYTzBse5Co7kY9CZdWDcmALA.",
  "scp": "user_impersonation",
  "sub": "F5atxEe7z2ooojdNoFhaAG_Xs2SBnnkYKJ4yCCWT1HA",
  "tid": "36da45f1-dd2c-4d1f-af13-5abe46b99921",
  "unique_name": "mytestaccount@mydomain.com",
  "upn": "mytestaccount@mydomain.com",
  "uti": "ll2WpznLGEq23DrUk4eoAQ",
  "ver": "1.0"
}

我可以获得 api 1 和 api 2 的访问令牌。这是我的测试过程:

首先,我公开了api1的api,并添加了客户端应用程序

接下来使用隐式流程获取中间层的access tokenapi 1.请求id tokenaccess token 在浏览器中。

https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid api://{api 1 client id}/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910

解析api1.

的访问令牌

接下来,公开api2的api,添加api1作为客户端应用

最后用OBO flow获取api2的access token(注意:assertion参数是api1的access token)。

解析api2.

的访问令牌