SecurityTokenInvalidAudienceException: IDX10214:受众验证失败
我正在开发一个ASP.NET核心2应用程序,使用标识和Sustainsys.Saml2 (用于SAML )。我在Startup.cs文件中做了必要的配置。现在,当我运行该项目并尝试使用SAML2登录(作为外部登录)时,输入凭据后将得到以下错误:
SecurityTokenInvalidAudienceException: IDX10214:受众验证失败。观众:“PII是隐藏的”。不匹配: validationParameters.ValidAudience:'PII是隐藏的‘或validationParameters.ValidAudiences:'PII是隐藏的’。Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable观众,SecurityToken securityToken,TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken,TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(string令牌,TokenValidationParameters validationParameters,out SecurityToken validatedToken) Sustainsys.Saml2.Saml2P.Saml2Response+d__60.MoveNext() System.Collections.Generic.List..ctor(IEnumerable收藏)validationParameters(来源) Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options,Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions选项,Saml2Response samlResponse,StoredRequestState storedRequestState)Sustainsys.Saml2.AspNetCore2.Saml2Handler+d__12.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task任务) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task任务Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task任务System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task任务Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware+d__4.MoveNext() System.Runtime.CompilerServices.TaskAwaiter。( System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task任务) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware+d__6.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware+d__6.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task任务) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task任务) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()
我不明白这是什么意思。我是不是遗漏了什么?
下面是我在启动文件中的内容
services.AddAuthentication()
.AddSaml2(options =>
{
var spOptions = new SPOptions
{
EntityId = new EntityId("https://localhost:44373/Saml2"),
ReturnUrl = new Uri("https://localhost:44373"),
MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
};
options.SPOptions = spOptions;
options.IdentityProviders.Add(new IdentityProvider(new EntityId("https://www.example.com/SSO/SAML/App"), options.SPOptions)
{
AllowUnsolicitedAuthnResponse = false,
MetadataLocation = "https://www.example.com/SSO/SAMLMetadata/App",
LoadMetadata = true,
});
});提前谢谢..。
回答 3
Stack Overflow用户
发布于 2018-10-16 20:06:53
据我所知,此错误清楚地表明,SAML令牌中的受众与启动配置中的值不同。比较这些值可能会有帮助。有时候,由于区分大小写的比较,验证失败了,因此您应该注意,在这种情况下,您的听力处于令牌和配置中。
根据源代码(Saml2Response)并正如安德斯·阿贝尔所指出的,ValidAudience属性是从您在这里配置的SPOptions.EntityId初始化的:
var spOptions = new SPOptions
{
EntityId = new EntityId("https://localhost:44373/Saml2"),
ReturnUrl = new Uri("https://localhost:44373"),
MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
};因此,您应该比较使用saml中的值配置的EntityId值,该值可能如下所示:
<saml:Audience>The value here should be the same as in your startup configuration</saml:Audience>Stack Overflow用户
发布于 2020-12-27 23:22:47
IDX10214:如果您使用的是Microsoft.Identity.Web版本1.4.1或类似版本,并得到此异常,请检查这部分(按字面意思复制,您必须更改appsettings.json中的日志级别才能看到此结果):
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at Microsoft.Identity.Web.Resource.RegisterValidAudience.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()如果你使用的是GUID还是一些可记忆和可读的东西,那么了解这些System.String的价值就更有帮助了。
本质上,您必须将Audience属性添加到appsettings.json中,这必须与Azure门户中的Application ID URI相等。我没有任何运气黑客的ClientId和有匹配的Application ID URI。这不是最终的解决方案- AFAIK,它必须仍然等于Azure门户中的Application (client) ID,即没有任何前缀或后缀的GUID。
Stack Overflow用户
发布于 2021-11-30 22:59:05
在我的例子中,JwtSecurityToken的发行者和受众被忽略了。在派生类UserService: IUserService中,我在函数generateJwtToken中定义了发行者和受众变量。它们必须与startup.csv中的ValidIssuer和ValidAudience中的ValidIssuer变量匹配。见(https://dotnetcoretutorials.com/2020/01/15/creating-and-validating-jwt-tokens-in-asp-net-core/)。
引用:
The Issuer and Audience are funny things because realistically, you probably won’t have a lot of use for them. Issuer is “who” created this token, for example your website, and Audience is “who” the token is supposed to be read by. So a good example might be that when a user logs in, your authentication api (auth.mywebsite.com) would be the issuer, but your general purposes API is the expected audience (api.mywebsite.com). These are actually free text fields so they don’t have to be anything in particular, but later on when we validate the issuer/audience, we will need to know what they are.公共类UserService : IUserService {
private string generateJwtToken(long userId)
{
var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_appSettings.Secret));
var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
var tokenOptions = new JwtSecurityToken(
issuer: "http://localhost:5000",
audience: "http://localhost:5000",
claims: new List<Claim> {
new Claim(ClaimTypes.Name, userId.ToString()),
new Claim(ClaimTypes.Role, "Operator")
},
expires: DateTime.UtcNow.AddDays(7),
signingCredentials: signinCredentials
);
var tokenString = new JwtSecurityTokenHandler().WriteToken(tokenOptions);
return tokenString;
}}
startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(opt =>
{
opt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.RequireHttpsMetadata = false;
opt.SaveToken = true;
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidIssuer = "http://localhost:5000",
ValidAudience = "http://localhost:5000"
};
});
}https://stackoverflow.com/questions/52843166
复制相似问题
腾讯云开发者
