从具有特定范围的Postman调用Azure WebApi [英] Calling Azure WebApi from Postman with specific scope
问题描述
我使用Postman来测试Azure中托管的API.首先,我会得到一个这样的访问令牌
由于我使用的是Grant_type´client_credentials ,因此我必须使用这样的默认范围 api://my-app-id/.default`,如
请参阅本文档,并使用客户端凭据流获取访问令牌
2.然后,您可以通过共享密码来获取访问令牌:
POST/{tenant}/oauth2/v2.0/token HTTP/1.1//为了清晰起见,使用了换行符主机:login.microsoftonline.com内容类型:application/x-www-form-urlencodedclient_id = 535fb089-9ff3-47b6-9bfb-4f1264799865& scope = api://您的应用ID/.default& client_secret = qWgdYAmab0YSkuL1qKv5bPX& grant_type = client_credentials
解析令牌,您将看到自定义的角色:
尝试使用令牌访问您的API.
更新:
根据您的错误,存在用户交互,因此,如果要使用用户令牌,则不应使用客户端凭据流,而应使用
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id = 6731de76-14a6-49ae-97bc-6eba6914391e& response_type =代码& redirect_uri = http%3A%2F%2Flocalhost%2Fmyapp%2F& response_mode =查询& scope = api://11f5aca5-ba22-4b7b-8312-60a09aab7xxx/Files.Upload& state = 12345
POST/{tenant}/oauth2/v2.0/token HTTP/1.1主持人:https://login.microsoftonline.com内容类型:application/x-www-form-urlencodedclient_id = 6731de76-14a6-49ae-97bc-6eba6914391e& scope = api://11f5aca5-ba22-4b7b-8312-60a09aab7df5/Files.Upload& code = OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr ...& redirect_uri = http%3A%2F%2Flocalhost%2Fmyapp%2F& grant_type =授权码& client_secret = JqQX2PNo9bpM0uEihUPzyrh
解析令牌,您将看到自定义的 scp :
I use Postman to test my API hosted in Azure. First I get an Access Token like this
Since I use the grant_type ´client_credentialsI have to use the default scope like this api://my-app-id/.default` as explained here.
But one of the endpoint of my API requires a specific scope, so the call fails because my access token does not contain this scope.
How am I supposed to test from Postman with the required scope ?
If you use Client Credential Flow to obtain an access token for an api protected by Azure, you must create an application and grant application permissions to the application (this is because Client Credential flow has no user interaction).
Then you need to define the application permissions by editing the list of api applications.here is an example.
Next, grant application permissions to the application:
Refer to this document and use Client Credential flow to get access token here:
1.First you need to get the administrator's consent:
GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
2.Then you can get the access token by sharing the secret:
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=api://your-app-id/.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
Parse the token and you will see your custom roles:
Try using the token to access your API.
Update:
According to your mistakes, there is user interaction, so if you want to use a user token, you should not use Client Credential Flow but auth code flow, and grant client application Delegated permissions.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=api://11f5aca5-ba22-4b7b-8312-60a09aab7xxx/Files.Upload
&state=12345
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=api://11f5aca5-ba22-4b7b-8312-60a09aab7df5/Files.Upload
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh
Parse the token and you will see your custom scp:
这篇关于从具有特定范围的Postman调用Azure WebApi的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
