Azure AKS 集群 API AuthenticationFailed 错误

Question

我需要以编程方式获取用户 AKS 集群，但是

我在执行这个请求时遇到问题 https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ContainerService/managedClusters?api-version=2018-03-31

Headers : 授权：不记名 {JWT}

我明白了

{
    "error": {
        "code": "AuthenticationFailed",
        "message": "Authentication failed."
    }
}

我如何检索这个 JWT 令牌

我使用这个流程https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#web-application-to-web-api来实现

1. 我用它https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code获取代码
2. 在我尝试检索访问令牌之后 https://login.microsoftonline.com/{tenant-id}/oauth2/token Headers :

grant_type : authorization_code
client_id : {myapp-id}
代码：{从第 1 步中检索}
client_secret : {myapp-key}
资源：https://graph.microsoft.com

结果我得到了带有负载的 JWT 令牌

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/ee3f07b0-0b4f-4929-acb0-643894a174fa/",
  "iat": 1533214682,
  "nbf": 1533214682,
  "exp": 1533218582,
  "acct": 0,
  "acr": "1",
  "amr": [
    "pwd"
  ],
  "app_displayname": "SinglePageApp-jQuery-DotNet",
  "appidacr": "1",
  "ipaddr": "193.243.159.58",
  "name": "Pasha Kostohrys",
  "platf": "3",
  "puid": "1003BFFDAC20BE5D",
  "scp": "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Group.Read.All Group.ReadWrite.All Member.Read.Hidden User.Read User.Read.All User.ReadBasic.All",
  "ver": "1.0",
  "wids": [
    "62e90394-69f5-4237-9190-012177145e10"
  ]
}

Answer 1

您检索到的不记名令牌的受众是https://graph.microsoft.com/，但您请求的API的受众是https://management.core.windows.net/。

我认为你应该使用 resource : https://management.core.windows.net/ 来获取不记名令牌，它会起作用。