我无法获取访问令牌以使用azure ad API来获取用户组：发出令牌时出错。 [英] I failed to get access token to use azure ad API to get user groups: There was an error issuing a token.

问题描述

我正在尝试获取用户组，我实施了saml但它没有返回给我用户组。



我有：

Azure广告目录：

目录ID = {目录ID}



使用saml身份验证的企业应用程序：



申请ID = {enterprize app id}



应用程序中的应用程序dot dev dot microsoft dot com /

申请ID = {app id}

客户秘密= {秘密}



$




$
https登录点microsoftonline dot com / {目录id} / oauth2 / authorize？client_id = {enterprize app id}& response_type = code& redirect_uri = {uri}& prompt = admin_consent



$
POST https login dot microsoftonline dot com / {directory id} f / oauth2 / v2 .0 /令牌

发布字段：

grant_type = authorization_code

client_id = {enterprize app id}

范围= https graph dot microsoft dot com / v1.0 / me / memberOf

c ode =上一次请求的代码

redirect_uri = {enterpise app redirect uri}



回复：
$
AADSTS50000：发出令牌时出错。



当我尝试使用{app id}和客户机密时，我得到：



https dot login dot microsoftonlinedot com / {directory id} / oauth2 / authorize？client_id = {app id}& response_type = code& redirect_uri = {uri}& prompt = admin_consent



POST https登录点microsoftonline dot com / {目录id} f / oauth2 / v2.0 / token

发布字段：

grant_type = authorization_code

client_id = {app id}

scope = https graph dot microsoft dot com / v1.0 / me / memberOf

code =来自先前请求的代码

redirect_uri = {app redirect uri}

client_secret = {secret}



得到了相同的错误：
$
发出令牌时发生错误。

解决方案

我不认为你在路过正确的处理令牌端点，你需要传递范围如下 -  对于默认范围传递 

scope = https ％3A％2F％2Fgraph.microsoft.com％2F 。默认
（ https://graph.microsoft.com/.default)

或者你知道范围你可以这样传递 -   

范围= HTTPS％3A％2F％2Fgraph.microsoft.com％2Fuser.read

I am trying to get user groups, I implement saml but it not return me the user groups.

I have:
Azure Ad directory:
Directory id = {directory id}

Enterprise application with saml authentication that works:

Application id = {enterprize app id}

Application in apps dot dev dot microsoft dot com/
Application id = {app id}
Client secret ={secret}





https login dot microsoftonline dot com/{directory id}/oauth2/authorize?client_id={enterprize app id}&response_type=code&redirect_uri={uri}&prompt=admin_consent


POST https login dot microsoftonline dot com/{directory id}f/oauth2/v2.0/token
Post fields:
grant_type=authorization_code
client_id={enterprize app id}
scope=https graph dot microsoft dot com/v1.0/me/memberOf
code=code from previous request
redirect_uri={enterpise app redirect uri}

Response:
AADSTS50000: There was an error issuing a token.

When I try with the {app id} and Client secret I get:

https dot login dot microsoftonlinedot com/{directory id}/oauth2/authorize?client_id={app id}&response_type=code&redirect_uri={uri}&prompt=admin_consent

POST https login dot microsoftonline dot com/{directory id}f/oauth2/v2.0/token
Post fields:
grant_type=authorization_code
client_id={app id}
scope=https graph dot microsoft dot com/v1.0/me/memberOf
code=code from previous request
redirect_uri={app redirect uri}
client_secret={secret}

Got the same error:
There was an error issuing a token.

解决方案

I do not think you are passing the correct scope to token endpoint and you need to pass the scope like below - For default scope pass 

scope=https%3A%2F%2Fgraph.microsoft.com%2F.default (https://graph.microsoft.com/.default)

or if you know scopes you can pass like this -  

scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read

这篇关于我无法获取访问令牌以使用azure ad API来获取用户组：发出令牌时出错。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！