DefaultAzureCredential 在尝试使用托管身份获取访问令牌时无法从包含的凭据中检索令牌

问题描述 投票:0回答:2

我有一个在 Azure AD 级别配置的用户分配的托管标识。有 Azure AD 保护的 REST API 和 AppRole:CustomRole。托管身份已分配权限:CustomRole,类型:应用程序。

我正在尝试使用 ASP.NET Core 3.1 和以下代码获取访问令牌:

public async Task<string> GetL10AccessTokenAsync()
{
    var token = await GetTokenUsingManagedIdentityAsync("<ClientId of the REST API>").ConfigureAwait(false);
    var accessToken = token.Token;   

    return accessToken;
}

public async Task<AccessToken> GetTokenUsingManagedIdentityAsync(string azureServiceKey)
{
    var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
    {
        ManagedIdentityClientId = ConfigManager.Get(UserAssignedClientId),
        ExcludeEnvironmentCredential = true,
        ExcludeInteractiveBrowserCredential = true,
        ExcludeAzurePowerShellCredential = true,
        ExcludeSharedTokenCacheCredential = true,
        ExcludeVisualStudioCodeCredential = true,
        ExcludeVisualStudioCredential = false,
        ExcludeAzureCliCredential = true,
        ExcludeManagedIdentityCredential = false
    });

    var tokenRequestContext = new TokenRequestContext(new[] { ConfigManager.Get(azureServiceKey) });
    return await credential.GetTokenAsync(tokenRequestContext, default).ConfigureAwait(false);
}

使用 Visual Studio 2022(企业版)从本地开发环境运行上述代码时,我收到以下错误:

{
  "ErrorCode": 500,
  "Message": "DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot\r\n- WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot\r\n- ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.\r\n- Process \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise\\Common7\\IDE\\CommonExtensions\\Microsoft\\Asal\\TokenService\\Microsoft.Asal.TokenService.exe\" has failed with unexpected error: TS003: Error, TS004: Unable to get access token.  'WAM Error  \r\n Error Code: 3399614476 \r\n Error Message: SubError: consent_required V2Error: invalid_grant AADSTS65001: The user or administrator has not consented to use the application with ID '04f0c124-f2bc-4f59-8241-bf6df9866bbd' named 'Visual Studio'. Send an interactive authorization request for this user and resource. Trace ID: 54bf2c95-47c4-46d6-a5e7-7fbe54812600 Correlation ID: 187a7568-4146-4ec2-a605-a808af9450a1 Timestamp: 2024-02-20 10:32:19Z \r\n Internal Error Code: 557973645 \r\n'.\r\n- Azure Developer CLI could not be found.",
  "Type": "CredentialUnavailableException",
  "StackTrace": "   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)\r\n   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)\r\n   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n   at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n",
  "InnerException": "Multiple exceptions were encountered while attempting to authenticate. (WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot) (ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.) (Process \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise\\Common7\\IDE\\CommonExtensions\\Microsoft\\Asal\\TokenService\\Microsoft.Asal.TokenService.exe\" has failed with unexpected error: TS003: Error, TS004: Unable to get access token.  'WAM Error  \r\n Error Code: 3399614476 \r\n Error Message: SubError: consent_required V2Error: invalid_grant AADSTS65001: The user or administrator has not consented to use the application with ID '04f0c124-f2bc-4f59-8241-bf6df9866bbd' named 'Visual Studio'. Send an interactive authorization request for this user and resource. Trace ID: xxxx-xxxx-xxxx-xxxx-xxxxxx Correlation ID: xxxxx-xxxxx-xxxx-xxxx-xxxxxxx Timestamp: xxxx-xx-xx yy:yy:yyy \r\n Internal Error Code: 557973645 \r\n'.) (Azure Developer CLI could not be found.)"
}

任何人都可以通过提供指导来帮助我吗

c# azure-ad-b2c asp.net-core-3.1 azure-managed-identity
2个回答
1
投票

确保在此 Visual Studio 选项中选择的帐户有权访问你的 Azure 资源...

enter image description here

0
投票

我已经设法弄清楚为什么

DefaultAzureCredential
回退到
VisualStudioCredential
在本地不断失败。

如错误描述

错误:invalid_grant AADSTS65001:用户或管理员未同意使用 ID 为“04f0c124-f2bc-4f59-8241-bf6df9866bbd”且名为“Visual Studio”的应用程序

Visual Studio 实际上是一个内置的 Azure 应用程序,尽管它没有在内置应用程序中列出,并且在门户中搜索 AppId (

04f0c124-f2bc-4f59-8241-bf6df9866bbd
) 不会给出任何命中,应用程序必须被授予对服务主体的访问权限
DefaultAzureCredential
将本地帐户委托给 Azure

为了使您的本地帐户能够通过 

GetTokenAsync()
(
DefaultAzureCredential
) 
VisualStudioCredential
,请转至 
Azure Portal -> Find the Service Principal -> Manage -> Expose an API -> Authorized client applications -> Click 'Add a client application' -> Enter '04f0c124-f2bc-4f59-8241-bf6df9866bbd'

enter image description here

据我所知,ClientId 

04f0c124-f2bc-4f59-8241-bf6df9866bbd
在 Azure 中是全局的。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.