我正在尝试构建一个具有SPA UI和Web API的应用程序,该应用程序使用Jwt Bearer令牌进行访问控制。我可以验证用户并将Bearer令牌发送到Web请求,但是当我这样做时,我会收到以下错误:
Bearer未经过身份验证。失败消息:IDX10500:签名验证失败。未提供安全密钥以验证签名。
我希望中间件使用在以下位置找到的密钥集:
https://login.microsoftonline.com/common/discovery/keys
但很明显我错过了什么。下面是我的启动代码片段,用于配置Bearer令牌。请问有谁能指出我的错误所在?
var clientId = Configuration["AzureAd:ClientId"];
var tenantId = Configuration["AzureAd:TenantId"];
var issuer = $"https://sts.windows.net/{tenantId}/";
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.Authority = "https://login.microsoftonline.com/common/";
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidIssuer = issuer,
ValidateAudience = true,
ValidAudiences = new string[] { clientId },
ValidateLifetime = true
};
});