Azure AD-缺少角色的仅应用令牌中的声明 [英] Azure AD - missing roles claim in app-only tokens

查看:99
本文介绍了Azure AD-缺少角色的仅应用令牌中的声明的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

当我尝试按

When I try to get app only token from nodejs backend server as described here, sometimes roles claim is missing in token, which leads to Authorization_IdentityNotFound or Authorization_RequestDenied error.

我创建了一个仅获取应用程序令牌的函数,该函数将调用/token端点,直到检索到的令牌中的roles声明可用为止.

I created a function to get app only token, which will call /token endpoint until roles claim available in the retrieved token.

这是函数:

async getApplicationTokenByTenant(
tenantId: string
): Promise<any> {
// post param
const params = {
    client_id: process.env.APP_ID,
    client_secret: process.env.APP_SECRET,
    grant_type: "client_credentials",
    scope: "https://graph.microsoft.com/.default"
};

let expectedRes = null;
let retryCount = 0;
// try to get token for max 4 times
while (!expectedRes && retryCount < 4) {
    console.log(`Try:${retryCount + 1}`);
    // call api
    const res = await fetch(
    `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
    {
        method: "POST",
        body: form(params),
        headers: {
        Accept: "application/json",
        "Content-Type":
            "application/x-www-form-urlencoded"
        }
    }
    );

    if (res.status !== 200) {
    const exception = await res.json();
    throw exception;
    }

    const response = await res.json();

    // Decode token
    const decodedToken = jws.decode(
    response.access_token
    ) as any;
    console.log("decodedToken");
    console.log(decodedToken);

    // check if "roles" exist in token
    if (!decodedToken.roles) {
    // if not wait for 3 seconds before retry
    await asyncWait(3000);
    retryCount++;
    } else {
    // got token having roles claim
    expectedRes = response;
    }
}
if (!expectedRes) {
    // did not get expected response after max retry
    throw new Error("Unable to get app token with roles");
}
return expectedRes;
}

这是响应:

尝试:1

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "iat": 1544945058,
  "nbf": 1544945058,
  "exp": 1544948958,
  "aio": "42RgYAhLEHI9n/8xtk896Mfyc2cWAwA=",
  "app_displayname": "Dev Bot",
  "appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
  "appidacr": "1",
  "idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
  "uti": "qrPy3iOYp0emoAWhGI6oAA",
  "ver": "1.0",
  "xms_tcdt": 1540903121
}

尝试:2

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "iat": 1544945062,
  "nbf": 1544945062,
  "exp": 1544948962,
  "aio": "42RgYGBJfLUkMmfnZgFrhl8lThs0AQ==",
  "app_displayname": "Dev Bot",
  "appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
  "appidacr": "1",
  "idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
  "uti": "cGcY4Mdbyk6BkZlOjVSfAA",
  "ver": "1.0",
  "xms_tcdt": 1540903121
}

尝试:3

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "iat": 1544945070,
  "nbf": 1544945070,
  "exp": 1544948970,
  "aio": "42RgYFgQlXKE/SWHGP+115sO7D/yAwA=",
  "app_displayname": "Dev Bot",
  "appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
  "appidacr": "1",
  "idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "roles": [
    "Mail.ReadWrite",
    "Group.ReadWrite.All",
    "Files.ReadWrite.All",
    "Directory.Read.All",
    "Mail.Read"
  ],
  "sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
  "uti": "CMiI-hcLlUCpqO6z70ukAA",
  "ver": "1.0",
  "xms_tcdt": 1540903121
}

如回应所示,我在第三次尝试时得到了预期的令牌(具有角色声明).为何在第一次尝试时不起作用?

As shown in response, I am getting expected token(having roles claim) on the third try. Any reason why this not working on the first try?

推荐答案

在我这边,我尝试了门户中的管理员同意和要求管理员同意的url请求,然后立即获得了仅应用令牌,这些角色包含在令牌.据我所知,更新权限可能需要一些时间.

On my side, I tried the admin consent in the portal and the url request for admin consent, and then got app-only token immediately, the roles included in the token. As I know, update the permission may need time to work.

这篇关于Azure AD-缺少角色的仅应用令牌中的声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆