如何使用用于Azure DevOps的MSAL.js获取有效的AAD v2令牌 [英] How to get valid AAD v2 token using MSAL.js for Azure DevOps

问题描述

ADAL.js和AAD v1可以使用委派的user_impersonation范围来访问Azure DevOps.

ADAL.js and AAD v1 works to access Azure DevOps using delegated user_impersonation scope.

我使用具有委派权限的相同AAD应用程序ID来使用MSAL.js生成访问令牌.令牌已成功创建，但是访问令牌无法访问Azure DevOps.

I used the same AAD Application Id with delegated permissions to generate access tokens using MSAL.js. The tokens were created successfully, but the access token does not work to access Azure DevOps.

解码的JWT令牌中唯一有意义的区别是"aud"声明不同.

The only meaningful difference in the decoded JWT token is that the "aud" claims are different.

在ADAL/v1中，aud是Azure DevOps的应用程序ID:

In ADAL/v1, the aud is the application id of Azure DevOps:

"aud": "499b84ac-1321-427f-aa17-267ca6975798"

在MSAL/v1中，aud是Azure DevOps的唯一uri:

In MSAL/v1, the aud is the unique uri for Azure DevOps:

"aud": "https://app.vssps.visualstudio.com"

有人能够使用具有user_impersonation委派权限的MSAL.js来访问Azure DevOps rest API吗?如果是这样，MSAL是否可以正常工作?

Has anyone been able to use MSAL.js with user_impersonation delegated permissions to access Azure DevOps rest API? If so, are there something missing to get MSAL to work?

他们的JWT验证是否可能还没有考虑第二个受众群体的价值?

Is it possible that their JWT validation just doesn't yet account for the second audience value?

推荐答案

Azure DevOps似乎是v1.0应用程序，因此我试图使其与Azure Portal在设置时建议的错误v2.0范围一起使用委派的权限:

It looks like Azure DevOps is a v1.0 application, so I was trying to make it work with the wrong v2.0 scope that Azure Portal suggested when setting up the delegated permissions:

scopes: ['https://app.vssps.visualstudio.com/user_impersonation']

但是，根据此

However, according to this doc, the scope should use the resource Id as a prefix when talking with v1.0 applications. Here is the working scope with Azure DevOps resource id:

scopes: ['499b84ac-1321-427f-aa17-267ca6975798/user_impersonation']

这解决了aud字段的问题，因此我再次提出了499b84ac-1321-427f-aa17-267ca6975798的JWT aud声明.

This fixes the issue with the aud field, so that I again have a JWT aud claim with 499b84ac-1321-427f-aa17-267ca6975798.

希望这可以帮助其他人阻止此问题.

Hopes that this helps someone else blocked on this issue.

这篇关于如何使用用于Azure DevOps的MSAL.js获取有效的AAD v2令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！