Azure AD-缺少角色的仅应用令牌中的声明 [英] Azure AD - missing roles claim in app-only tokens
问题描述
When I try to get app only token from nodejs backend server as described here, sometimes roles claim is missing in token, which leads to Authorization_IdentityNotFound or Authorization_RequestDenied error.
我创建了一个仅获取应用程序令牌的函数,该函数将调用/token端点,直到检索到的令牌中的roles声明可用为止.
I created a function to get app only token, which will call /token endpoint until roles claim available in the retrieved token.
这是函数:
async getApplicationTokenByTenant(
tenantId: string
): Promise<any> {
// post param
const params = {
client_id: process.env.APP_ID,
client_secret: process.env.APP_SECRET,
grant_type: "client_credentials",
scope: "https://graph.microsoft.com/.default"
};
let expectedRes = null;
let retryCount = 0;
// try to get token for max 4 times
while (!expectedRes && retryCount < 4) {
console.log(`Try:${retryCount + 1}`);
// call api
const res = await fetch(
`https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
{
method: "POST",
body: form(params),
headers: {
Accept: "application/json",
"Content-Type":
"application/x-www-form-urlencoded"
}
}
);
if (res.status !== 200) {
const exception = await res.json();
throw exception;
}
const response = await res.json();
// Decode token
const decodedToken = jws.decode(
response.access_token
) as any;
console.log("decodedToken");
console.log(decodedToken);
// check if "roles" exist in token
if (!decodedToken.roles) {
// if not wait for 3 seconds before retry
await asyncWait(3000);
retryCount++;
} else {
// got token having roles claim
expectedRes = response;
}
}
if (!expectedRes) {
// did not get expected response after max retry
throw new Error("Unable to get app token with roles");
}
return expectedRes;
}
这是响应:
尝试:1
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
"iat": 1544945058,
"nbf": 1544945058,
"exp": 1544948958,
"aio": "42RgYAhLEHI9n/8xtk896Mfyc2cWAwA=",
"app_displayname": "Dev Bot",
"appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
"appidacr": "1",
"idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
"oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
"sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
"tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
"uti": "qrPy3iOYp0emoAWhGI6oAA",
"ver": "1.0",
"xms_tcdt": 1540903121
}
尝试:2
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
"iat": 1544945062,
"nbf": 1544945062,
"exp": 1544948962,
"aio": "42RgYGBJfLUkMmfnZgFrhl8lThs0AQ==",
"app_displayname": "Dev Bot",
"appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
"appidacr": "1",
"idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
"oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
"sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
"tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
"uti": "cGcY4Mdbyk6BkZlOjVSfAA",
"ver": "1.0",
"xms_tcdt": 1540903121
}
尝试:3
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
"iat": 1544945070,
"nbf": 1544945070,
"exp": 1544948970,
"aio": "42RgYFgQlXKE/SWHGP+115sO7D/yAwA=",
"app_displayname": "Dev Bot",
"appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
"appidacr": "1",
"idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
"oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
"roles": [
"Mail.ReadWrite",
"Group.ReadWrite.All",
"Files.ReadWrite.All",
"Directory.Read.All",
"Mail.Read"
],
"sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
"tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
"uti": "CMiI-hcLlUCpqO6z70ukAA",
"ver": "1.0",
"xms_tcdt": 1540903121
}
如回应所示,我在第三次尝试时得到了预期的令牌(具有角色声明).为何在第一次尝试时不起作用?
As shown in response, I am getting expected token(having roles claim) on the third try. Any reason why this not working on the first try?
推荐答案
在我这边,我尝试了门户中的管理员同意和要求管理员同意的url请求,然后立即获得了仅应用令牌,这些角色包含在令牌.据我所知,更新权限可能需要一些时间.
On my side, I tried the admin consent in the portal and the url request for admin consent, and then got app-only token immediately, the roles included in the token. As I know, update the permission may need time to work.
这篇关于Azure AD-缺少角色的仅应用令牌中的声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
