卡在Azure OAuth2令牌请求中的两个错误之间 [英] Stuck between two errors in an Azure OAuth2 token request

问题描述

我正在为OWIN和Azure Active Director实施OAuth2提供程序. FWIW，目前，"OpenId Connect"选项不符合这项工作的要求.

I am implementing an OAuth2 provider for OWIN and Azure Active Director. FWIW, at this time the OpenId Connect option doesn't fit the requirements for this work.

我得到一个验证码，并返回带有auth_code，状态的回复URL，并向"scheme://login.windows.net/{myguid}/oauth2/token"申请令牌.

I get an auth code, and returned to my reply url with the auth_code, state, and make the request for a token to "scheme://login.windows.net/{myguid}/oauth2/token.

 // Build up the body for the token request
 var body = new List<KeyValuePair<string, string>>();
 body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code"));
 body.Add(new KeyValuePair<string, string>("code", code));
 body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri));
 body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId));
 body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret));

 // Request the token
 HttpResponseMessage tokenResponse =
     await httpClient.PostAsync(TokenEndpoint, new FormUrlEncodedContent(body));
 string text = await tokenResponse.Content.ReadAsStringAsync();
 tokenResponse.EnsureSuccessStatusCode();

我收到此错误:

{"error":"invalid_resource","error_description":"AADSTS50001: Resource identifier is not provided.
Trace ID: 227f2af8-0837-4f22-ac0f-a09b3f9a6d50
Correlation ID: 3d783f11-44d0-4efa-8831-3dd581d653ed
Timestamp: 2014-08-08 21:59:49Z","error_codes":[50001],"timestamp":"2014-08-08 21:59:49Z","trace_id":"227f2af8-0837-4f22-ac0f-a09b3f9a6d50","correlation_id":"3d783f11-44d0-4efa-8831-3dd581d653ed"}

好的，我添加资源选项:

OK, I add the resource option:

 // Build up the body for the token request
 var body = new List<KeyValuePair<string, string>>();
 body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code"));
 body.Add(new KeyValuePair<string, string>("code", code));
 body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri));
 body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId));
 body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret));
 body.Add(new KeyValuePair<string, string>("resource", "https://myappid"));

{"error":"invalid_request","error_description":"AADSTS90027: The client 'xxxxx' and resource 'https://myappid' identify the same application.
Trace ID: 6c77f123-d75f-43a9-8117-b3f372891ee4
Correlation ID: d9081f8b-b690-4478-bf15-55325a9736ec
Timestamp: 2014-08-08 21:48:34Z","error_codes":[90027],"timestamp":"2014-08-08 21:48:34Z","trace_id":"6c77f123-d75f-43a9-8117-b3f372891ee4","correlation_id":"d9081f8b-b690-4478-bf15-55325a9736ec"}

因此，我必须具有与我的客户ID相关联的正确应用ID. ！我显然做错了，但似乎看不到它.有什么建议?

so I must have the correct app id associated with my client id. hrrmph! I am clearly doing something wrong but just can't seem to see it. Any suggestions?

推荐答案

OAuth与4个参与者打交道:1)资源所有者又名用户2)资源应用程序:通常是一个Web API，可保护用户对资源所有者的访问3)客户端应用程序:一个Web应用程序或移动应用程序，甚至是另一个希望代表用户访问资源的Web API 4)权限:安全令牌服务，对用户和/或客户端应用程序进行身份验证并颁发委派的访问令牌客户端访问资源.

OAuth deals with 4 parties: 1) resource owner aka user 2) resource app: usually a Web API that protects access to resources owner by the user 3) client app: a web app or mobile app or even another Web API that wants to access the resource on-behalf of the user 4) the authority: the secure token service that authenticates the user and/or the client app and issues a delegated access token to the client to access the resource.

您的代码正在为客户端应用程序和资源使用相同的标识符-本质上，它正在尝试请求访问令牌来访问自身.可以争论的是，应该允许这种情况-但是，Azure AD今天不支持这种情况.

Your code is using the same identifier for the client app as well as the resource - essentially it is trying to request for an access token to access itself. It can be argued that this scenario should be allowed - but it isn't today by Azure AD.

请执行以下操作:在Azure AD中注册资源应用程序.在清单中添加一个新的appPermission(遵循

Please do the following: register a resource application in Azure AD. In its manifest add a new an appPermission (follow this post). Then, go to the client application configuration page and scroll to the bottom - in the 'Permissions to other applications' section, add the resource permission to the client applications list of "delegated permissions".

现在，在OAuth请求中使用资源应用程序的AppIDURI或ClientID，并且东西应该可以工作.

Now, use the resource application's AppIDURI or ClientID in your OAuth request and stuff should work.

希望这会有所帮助.

这篇关于卡在Azure OAuth2令牌请求中的两个错误之间的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！