提取访问令牌和amp;时的Azure AD错误登录 [英] Azure AD error when fetching access token & login
问题描述
当我尝试获取其中一个API的访问密钥时出现错误. "AADSTS65001:用户或管理员未同意使用ID为'{GUID}'的应用程序
I got the error when I was trying to get an access key for one of our APIs. "AADSTS65001: The user or administrator has not consented to use the application with ID '{GUID}'
首先,我试图在登录时提示=同意,以为我拥有登录时未提示的新同意.而且我得到了以下错误. "AADSTS65005:应用程序'{GUID}'要求访问已删除或不再可用的资源的权限.请与应用程序供应商联系." 我删除了alert = consent,开始摆弄Azure中的权限,现在我陷入了同样的错误.
First of I was trying to prompt=consent during login, thinking that I had new consents that weren't prompted during login. And I got the following error. "AADSTS65005: The application '{GUID}' asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor." I removed prompt=consent and started fiddling with the permissions in Azure and now I was stuck on the same error.
我将所有内容恢复原样,但仍然出现错误,但是这仅在我的用户上发生.其他所有人仍然可以顺利登录.
I changed everything back as it was but I am still getting the error, however this only happens on my user. Everyone else can still login without problems.
所以我的问题实际上分为两部分:
So my problem is actually in two parts:
-
尝试获取API的访问令牌时的第一个错误. 我需要以某种方式提示用户同意,但我使用的是adal.js,它使用不可见的iframe对密钥进行静默检索.我希望得到用户登录Web应用程序的同意. 这可能吗?
The first error when trying to get access token for the API. Somehow I need to prompt the user with consent but I am using adal.js which uses a silent retrieval of the keys using an invisible iframe. I would like the consent to be when the user logs into the web app. Is this possible?
我的用户无法再登录到我们的Web应用程序.其他人都可以,以前有人遇到过吗?
My user can't log in to our web app anymore. Everyone else can, anyone encountered this before?
该产品是用React编写的SPA Web应用程序,我们使用adal.js(adal-vanilla)作为用于验证天蓝色广告的库.
The product is a SPA Web App written in React and we use adal.js (adal-vanilla) as a library for authentication to azure ad.
更新 终于有了一些工作.并非一直如此,但至少是一个开始.
Update Finally got some stuff working. Not all the way but atleast it's a start.
- 问题在于,在其他租户(这是一个多租户应用)上注册的用户未获得使用API的同意.这些用户得到错误.但是我在同一租户上注册了一个用户,并且一切都按预期进行.
- 通过删除所有权限并一个接一个地添加权限并在它们之间进行测试,解决了两个问题.经过两三遍尝试后,它以某种方式起作用.
现在的问题是来自其他租户的用户未获得同意提示来访问API.
The problem now is that users from other tenants don't get consent prompt to access the API.
推荐答案
以某种方式解决了该问题,我不确定100%如何或为什么解决此问题,但是如果有人发现自己处于类似状态,我将采取以下步骤修复该问题情况:
Somehow the issue got fixed, I'm not 100% sure how or why but here are the steps I performed to fix it if someone finds themselves in a similar situation:
- 确保所有权限都是正确的(将API作为委托权限添加到客户端)
- 所有服务(Web应用程序和API)都是多租户
- 更新清单:
"availableToOtherTenants": true,
"knownClientApplications": [
"{client app application id}"
],
(即使API在设置中被标记为多租户,availableToOtherTenants对于API也是错误的)
这篇关于提取访问令牌和amp;时的Azure AD错误登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
