无法从https://login.microsoftonline.com获取refresh_token [英] Cannot obtain refresh_token from https://login.microsoftonline.com
问题描述
我有一个使用Azure身份验证的MVC应用程序。应用程序调用Azure函数(受活动目录保护)。
使用bearer token成功调用该函数。 问题发生在azure函数内部。 azure函数从租户获取Access令牌,因此可以调用graph api以返回分配给用户的组。 以下
代码用于获取令牌
var _resp = request('POST',https:// login.microsoftonline.com /'+ TENANT_ID +'/ oauth2 / v2.0 / token';, {
标题:{
; 'Content-Type':'application / x-www-form-urlencoded',
},
; body:" scope = Directory.Read.All%20Group.Read.All&" +
" grant_type = urn:ietf:params: oauth:grant-type:jwt-bearer&" +
" client_id =" + APP_CLIENT_ID +"&" +
" client_secret =" + APP_CLIENT_SECRET +"&" +
" assertion =" + req.headers ['x-ms-token-aad-id-token'] +"&" +
" requested_token_use = on_behalf_of&q uot;
});
获取的Access令牌仅在1小时内有效,仅在我直接从浏览器访问azure函数时有效时间。通过浏览器完成第一次登录后,MVC应用程序可以无问题地调用该函数,直到令牌
到期,然后显示以下消息:
" invalid_grant"," error_description":" AADSTS500133:断言不在其有效时间范围内。
<我已经读到问题是因为Access令牌已过期,并且必须使用刷新令牌获取新令牌,
问题是,在调用https://login.microsoftonline.com/'+TENANT_ID+'/oauth2/v2.0/token
时,我无法获得刷新令牌,只返回Access_token
有没有办法解决这个问题?
Alvaro
好像你没有将刷新令牌传递给请求体。您可以从[X-MS-TOKEN-AAD-REFRESH-TOKEN]标题获取刷新令牌,并将其作为"refresh_token"= [X-MS-TOKEN-AAD-REFRESH-TOKEN]
$传递给请求b $ b您的代码如下所示:
var _resp = request('POST',https:// login。 microsoftonline.com /'+ TENANT_ID +'/ oauth2 / v2.0 / token';, {
header:{
'Content-Type':'application / x-www-form-urlencoded',
},
body:" scope = Directory.Read.All%20Group.Read.All&" +
" grant_type = urn:ietf:params:oauth:grant-type: jwt-bearer&" +
" client_id =" + APP_CLIENT_ID +"&" +
" client_secret =" + APP_CLIENT_SECRET +"&" +
"assertion =" + req.headers ['x-ms-token-aad-id-token'] +"&" +
" requested_token_use = on_behalf_of" +"&" ; +" refresh_token" =
req.headers [`x-ms-token-aad-refr esh-token`]
});有关此内容的更多详情,请参阅以下文档:
https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#retrieve-tokens-in-app-code
Hi,
I have a MVC application using Azure Authentication. The application invokes an Azure Function (protected with active directory).
The function is invoked successfully using bearer token. The problem occurs inside the azure function. The azure function obtains an Access token from the tenant so graph api can be invoked to return the groups assigned to the user. The following code is used to obtain the token
var _resp = request('POST',https://login.microsoftonline.com/'+TENANT_ID+'/oauth2/v2.0/token';,{
headers:{
'Content-Type': 'application/x-www-form-urlencoded',
},
body: "scope=Directory.Read.All%20Group.Read.All&"+
"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&"+
"client_id="+APP_CLIENT_ID+"&"+
"client_secret="+APP_CLIENT_SECRET+"&"+
"assertion="+req.headers['x-ms-token-aad-id-token']+"&"+
"requested_token_use=on_behalf_of"
});
The Access token obtained is only valid for 1 hour, and only works if I Access the azure function directly from browser the first time. After the first login is done via browser, the MVC application can invoke the function without issues, until the token expires, then the following message is displayed:
"invalid_grant","error_description":"AADSTS500133: Assertion is not within its valid time range.
I have read that the problem is because the Access token expired, and a new token must be obtained using the refresh token,
The problem is that I cannot get a refresh token when invoking https://login.microsoftonline.com/'+TENANT_ID+'/oauth2/v2.0/token
only Access_token is returned
Is there any way to overcome this issue?
Alvaro
Seems like you are not passing refresh token to the request body. You can Get Refresh token from [X-MS-TOKEN-AAD-REFRESH-TOKEN] header and pass it to the request as "refresh_token"= [X-MS-TOKEN-AAD-REFRESH-TOKEN]
Your code will look like as shown below:
var _resp = request('POST',https://login.microsoftonline.com/'+TENANT_ID+'/oauth2/v2.0/token';,{ headers:{ 'Content-Type': 'application/x-www-form-urlencoded', }, body: "scope=Directory.Read.All%20Group.Read.All&"+ "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&"+ "client_id="+APP_CLIENT_ID+"&"+ "client_secret="+APP_CLIENT_SECRET+"&"+ "assertion="+req.headers['x-ms-token-aad-id-token']+"&"+ "requested_token_use=on_behalf_of"+"&"+"refresh_token"= req.headers[`x-ms-token-aad-refresh-token`] });Refer the below document for more details around this:
https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#retrieve-tokens-in-app-code
这篇关于无法从https://login.microsoftonline.com获取refresh_token的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
