Working Bot Framework Bot 作为 Azure Web App 突然没有配置更改命中 SecurityTokenSignatureKeyNotFoundException:IDX10501
Working Bot Framework Bot as an Azure Web App suddenly with no configuration changes hitting SecurityTokenSignatureKeyNotFoundException: IDX10501
我一直在训练自己构建一个与 MS Teams 集成的机器人。
我已经按照教程构建了一个简单的 echo 机器人,并进一步使用了 Visual Studio 2019 插件,用于在 .Net Core 3.1 之上的 Bot Framework 版本 4。
一周前,我有两个工作机器人使用该框架并执行非常简单的任务。
Bot bot 被部署为 Azure Web Apps - 我可以在 Teams Chat 中输入一些内容,bot 会回应一些内容。一切顺利。
今天,在离开我的项目大约 24 小时后,same 聊天尝试在 same teams 实例中使用 same 网络应用程序并传递 same 凭据(应用程序 ID 和应用程序密码),它们刚刚停止工作。从日志中,我可以看到名为 Microsoft.AspNetCore.Server.IIS.Core.IISHttpServer 的类别检测到事件 ID 为 ApplicationError 且日志消息为 Connection ID "15924728283992716557", Request ID "8000750e-0000-dd00-b63f-84710c7967bb": An unhandled exception was thrown by the application.
的未处理异常
异常本身如下:
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
'[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.Bot.Connector.Authentication.JwtTokenExtractor.ValidateTokenAsync(String jwtToken, String channelId, String[] requiredEndorsements)
at Microsoft.Bot.Connector.Authentication.JwtTokenExtractor.GetIdentityAsync(String scheme, String parameter, String channelId, String[] requiredEndorsements)
at Microsoft.Bot.Connector.Authentication.JwtTokenExtractor.GetIdentityAsync(String authorizationHeader, String channelId, String[] requiredEndorsements)
at Microsoft.Bot.Connector.Authentication.ChannelValidation.AuthenticateChannelToken(String authHeader, ICredentialProvider credentials, HttpClient httpClient, String channelId, AuthenticationConfiguration authConfig)
at Microsoft.Bot.Connector.Authentication.ChannelValidation.AuthenticateChannelToken(String authHeader, ICredentialProvider credentials, String serviceUrl, HttpClient httpClient, String channelId, AuthenticationConfiguration authConfig)
at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.AuthenticateTokenAsync(String authHeader, ICredentialProvider credentials, IChannelProvider channelProvider, String channelId, AuthenticationConfiguration authConfig, String serviceUrl, HttpClient httpClient)
at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.ValidateAuthHeader(String authHeader, ICredentialProvider credentials, IChannelProvider channelProvider, String channelId, AuthenticationConfiguration authConfig, String serviceUrl, HttpClient httpClient)
at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.AuthenticateRequest(IActivity activity, String authHeader, ICredentialProvider credentials, IChannelProvider provider, AuthenticationConfiguration authConfig, HttpClient httpClient)
at Microsoft.Bot.Builder.BotFrameworkAdapter.ProcessActivityAsync(String authHeader, Activity activity, BotCallbackHandler callback, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.Integration.AspNet.Core.BotFrameworkHttpAdapter.ProcessAsync(HttpRequest httpRequest, HttpResponse httpResponse, IBot bot, CancellationToken cancellationToken)
at EchoBot1.Controllers.BotController.PostAsync() in C:\Ops\Development\Users\Stephan\EchoBot1\EchoBot1\Controllers\BotController.cs:line 34
at lambda_method(Closure , Object )
at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult()
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT`1.ProcessRequestAsync()
该堆栈跟踪中的每个条目都是 Asp.Net Core 框架或 Bot 框架的一部分。唯一的例外是条目:
at EchoBot1.Controllers.BotController.PostAsync() in C:\Ops\Development\Users\Stephan\EchoBot1\EchoBot1\Controllers\BotController.cs:line 34
毫不奇怪,我的控制器中第 34 行的代码是:
[HttpPost, HttpGet]
public async Task PostAsync()
{
// Delegate the processing of the HTTP POST to the adapter.
// The adapter will invoke the bot.
await Adapter.ProcessAsync(Request, Response, Bot); // LINE 34 - EXCEPTION HERE
}
使用 Bot Framework v4 时,此代码与 Visual Studio 搭建的完全相同。
这有点令人失望,因为我的理解是 Bot Framework 的主要好处之一是它提供了必要的安全握手,但是当它不起作用时我完全不知道如何甚至开始调试这个。
对于查找问题的过程或遇到此问题的其他人的任何经验,我将不胜感激。谢谢。
============ 编辑 - 添加最初隐藏的附加信息 =============
在我在最初的问题中引用的例外情况中,根据 Microsoft 的 GDPR 政策,各种元素被掩盖了。我按照以下说明“清除”它们:https://aka.ms/IdentityModel/PII
有了这个,我得到了这些额外的信息,这些信息表明除了无法将安全密钥与哈希匹配之外,处理过程中没有异常。 (我已经确认是正确的)。
这是附加信息,只是我手动遮盖了一点:
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: 'KeyIHaveObsuredPresumablyFailsToMatchHash'.
Exceptions caught:
''.
token: '{"alg":"RS256","kid":"KeyIHaveObsuredPresumablyFailsToMatchHash","typ":"JWT","x5t":"KeyIHaveObsuredPresumablyFailsToMatchHash"}.{"serviceurl":"https://smba.trafficmanager.net/amer/","nbf":1628123535,"exp":1628127135,"iss":"https://api.botframework.com","aud":"CorrectAppIdGuid"}'.
.... And Stack Trace as before ....
我今天遇到了同样的错误,并且花了相当多的时间来查看发生了什么。现在我尝试重新启动我的应用程序服务,机器人开始工作了!
干杯!
来自微软的其他更新 2021 年 8 月 20 日
不是一个非常令人满意的答案,但我怀疑这就是我要得到的全部:
The issue occurred because of a configuration change which was made internally pertaining to the endpoints which has the public keys. This caused the keys to be missing from the well-known keys storage. But this has been fixed now and proper steps have been taken to ensure that the existing keys remain un-impacted.
此外...
Normally outage information regarding azure resources are published in the status link I have shared earlier. So in future, if in general some major issue happens owing to which resources are down we can expect it to be updated there.
终于w.r.t。防御性编程:
Pertaining to this specific error, any exception handling might not solve the issue , max it can identify the issue. Reason is this was for some configuration change in the storage.
微软 2021 年 8 月 9 日更新:
微软已经承认这是他们一端的基础设施错误,因为缺少安全密钥。他们仍在进行根本原因分析。我索要了一份副本,还询问了一些关于频率、期望、状态和防御性编程的其他问题。如果我得到它,我会 post 更多注意。
2021 年 8 月 5 日的原始答案:
根据之前的回答和对最初 post 的善意评论,今天问题自行解决了。这影响了我的两个 apps/bots - 其中一个完全清除了自身,另一个在我(再次)重新启动应用程序服务后清除了。需要明确的是,在大约 14 小时前 post 首先提出这个问题之前,我已经重启了应用程序服务几次(甚至重新部署)。但现在一切都恢复正常了。
我一直在训练自己构建一个与 MS Teams 集成的机器人。
我已经按照教程构建了一个简单的 echo 机器人,并进一步使用了 Visual Studio 2019 插件,用于在 .Net Core 3.1 之上的 Bot Framework 版本 4。
一周前,我有两个工作机器人使用该框架并执行非常简单的任务。
Bot bot 被部署为 Azure Web Apps - 我可以在 Teams Chat 中输入一些内容,bot 会回应一些内容。一切顺利。
今天,在离开我的项目大约 24 小时后,same 聊天尝试在 same teams 实例中使用 same 网络应用程序并传递 same 凭据(应用程序 ID 和应用程序密码),它们刚刚停止工作。从日志中,我可以看到名为 Microsoft.AspNetCore.Server.IIS.Core.IISHttpServer 的类别检测到事件 ID 为 ApplicationError 且日志消息为 Connection ID "15924728283992716557", Request ID "8000750e-0000-dd00-b63f-84710c7967bb": An unhandled exception was thrown by the application.
异常本身如下:
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
'[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.Bot.Connector.Authentication.JwtTokenExtractor.ValidateTokenAsync(String jwtToken, String channelId, String[] requiredEndorsements)
at Microsoft.Bot.Connector.Authentication.JwtTokenExtractor.GetIdentityAsync(String scheme, String parameter, String channelId, String[] requiredEndorsements)
at Microsoft.Bot.Connector.Authentication.JwtTokenExtractor.GetIdentityAsync(String authorizationHeader, String channelId, String[] requiredEndorsements)
at Microsoft.Bot.Connector.Authentication.ChannelValidation.AuthenticateChannelToken(String authHeader, ICredentialProvider credentials, HttpClient httpClient, String channelId, AuthenticationConfiguration authConfig)
at Microsoft.Bot.Connector.Authentication.ChannelValidation.AuthenticateChannelToken(String authHeader, ICredentialProvider credentials, String serviceUrl, HttpClient httpClient, String channelId, AuthenticationConfiguration authConfig)
at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.AuthenticateTokenAsync(String authHeader, ICredentialProvider credentials, IChannelProvider channelProvider, String channelId, AuthenticationConfiguration authConfig, String serviceUrl, HttpClient httpClient)
at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.ValidateAuthHeader(String authHeader, ICredentialProvider credentials, IChannelProvider channelProvider, String channelId, AuthenticationConfiguration authConfig, String serviceUrl, HttpClient httpClient)
at Microsoft.Bot.Connector.Authentication.JwtTokenValidation.AuthenticateRequest(IActivity activity, String authHeader, ICredentialProvider credentials, IChannelProvider provider, AuthenticationConfiguration authConfig, HttpClient httpClient)
at Microsoft.Bot.Builder.BotFrameworkAdapter.ProcessActivityAsync(String authHeader, Activity activity, BotCallbackHandler callback, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.Integration.AspNet.Core.BotFrameworkHttpAdapter.ProcessAsync(HttpRequest httpRequest, HttpResponse httpResponse, IBot bot, CancellationToken cancellationToken)
at EchoBot1.Controllers.BotController.PostAsync() in C:\Ops\Development\Users\Stephan\EchoBot1\EchoBot1\Controllers\BotController.cs:line 34
at lambda_method(Closure , Object )
at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult()
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT`1.ProcessRequestAsync()
该堆栈跟踪中的每个条目都是 Asp.Net Core 框架或 Bot 框架的一部分。唯一的例外是条目:
at EchoBot1.Controllers.BotController.PostAsync() in C:\Ops\Development\Users\Stephan\EchoBot1\EchoBot1\Controllers\BotController.cs:line 34
毫不奇怪,我的控制器中第 34 行的代码是:
[HttpPost, HttpGet]
public async Task PostAsync()
{
// Delegate the processing of the HTTP POST to the adapter.
// The adapter will invoke the bot.
await Adapter.ProcessAsync(Request, Response, Bot); // LINE 34 - EXCEPTION HERE
}
使用 Bot Framework v4 时,此代码与 Visual Studio 搭建的完全相同。
这有点令人失望,因为我的理解是 Bot Framework 的主要好处之一是它提供了必要的安全握手,但是当它不起作用时我完全不知道如何甚至开始调试这个。
对于查找问题的过程或遇到此问题的其他人的任何经验,我将不胜感激。谢谢。
============ 编辑 - 添加最初隐藏的附加信息 =============
在我在最初的问题中引用的例外情况中,根据 Microsoft 的 GDPR 政策,各种元素被掩盖了。我按照以下说明“清除”它们:https://aka.ms/IdentityModel/PII
有了这个,我得到了这些额外的信息,这些信息表明除了无法将安全密钥与哈希匹配之外,处理过程中没有异常。 (我已经确认是正确的)。
这是附加信息,只是我手动遮盖了一点:
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: 'KeyIHaveObsuredPresumablyFailsToMatchHash'.
Exceptions caught:
''.
token: '{"alg":"RS256","kid":"KeyIHaveObsuredPresumablyFailsToMatchHash","typ":"JWT","x5t":"KeyIHaveObsuredPresumablyFailsToMatchHash"}.{"serviceurl":"https://smba.trafficmanager.net/amer/","nbf":1628123535,"exp":1628127135,"iss":"https://api.botframework.com","aud":"CorrectAppIdGuid"}'.
.... And Stack Trace as before ....
我今天遇到了同样的错误,并且花了相当多的时间来查看发生了什么。现在我尝试重新启动我的应用程序服务,机器人开始工作了!
干杯!
来自微软的其他更新 2021 年 8 月 20 日 不是一个非常令人满意的答案,但我怀疑这就是我要得到的全部:
The issue occurred because of a configuration change which was made internally pertaining to the endpoints which has the public keys. This caused the keys to be missing from the well-known keys storage. But this has been fixed now and proper steps have been taken to ensure that the existing keys remain un-impacted.
此外...
Normally outage information regarding azure resources are published in the status link I have shared earlier. So in future, if in general some major issue happens owing to which resources are down we can expect it to be updated there.
终于w.r.t。防御性编程:
Pertaining to this specific error, any exception handling might not solve the issue , max it can identify the issue. Reason is this was for some configuration change in the storage.
微软 2021 年 8 月 9 日更新: 微软已经承认这是他们一端的基础设施错误,因为缺少安全密钥。他们仍在进行根本原因分析。我索要了一份副本,还询问了一些关于频率、期望、状态和防御性编程的其他问题。如果我得到它,我会 post 更多注意。
2021 年 8 月 5 日的原始答案: 根据之前的回答和对最初 post 的善意评论,今天问题自行解决了。这影响了我的两个 apps/bots - 其中一个完全清除了自身,另一个在我(再次)重新启动应用程序服务后清除了。需要明确的是,在大约 14 小时前 post 首先提出这个问题之前,我已经重启了应用程序服务几次(甚至重新部署)。但现在一切都恢复正常了。