AADSTS50011:从SAP系统获得OAuth授予时出现问题 [英] AADSTS50011: Issue when getting OAuth grant from an SAP system
问题描述
这是一个尚未描述的AADSTS50011问题:
This one is a not yet described AADSTS50011 issue:
要从SAP系统中通过Azure AD获取OAuth2.0授予令牌,需要在AAD中注册应用程序并在SAP系统上提供OAuth2.0客户端配置文件.然后,SAP系统可以触发该流程以获取OAuth令牌.
Getting the OAuth2.0 grant token via Azure AD from an SAP system requires registering an application in AAD and providing an OAuth2.0 Client profile on the SAP system. The SAP system can then trigger the flow to get the OAuth token.
在SAP系统中,OAuth2.0客户端配置包含来自AAD的应用程序ID,客户端机密,端点,设置为授权码的授权类型,目标端点,并且它允许维护用于构造重定向的重定向URI服务器. 然后遵循以下格式的URI:https://< SAP系统>:< port>/sap/public/bc/sec/oauth2/client/redirect?sap-client = 715.
In the SAP system, the OAuth2.0 client configuration contains the Application ID from AAD, client secret, endpoints, grant type set to Authorization Code, target endpoint, and it allows maintaining the redirection URI server used to construct the redirection URI which then follows the pattern https://<SAP system>:<port>/sap/public/bc/sec/oauth2/client/redirect?sap-client=715.
我使用相应的OAuth授权应用触发了来自SAP系统的流程.根据在Azure中如何维护重定向URI,我会遇到两种不同的错误情况:
I trigger the flow from SAP system using the corresponding OAuth grant app. Depending on how the redirection URI is maintained in Azure, I get two different error situations:
如果在应用程序注册设置中以完全相同的方式维护重定向URI,则我不会进入应用程序主页的登录屏幕.相反,我只是使URL充满了错误信息,因此(在URL解码之后)看起来像这样:
If the redirection URI is maintained the exactly same way in the app registration settings, I do not end up in the logon screen of the app homepage. Instead, I just get the URL enriched with error information so that it (after URL decoding) looks like this:
对参数sap-client进行编码不会更改此行为.看来AAD不接受参数sap-client(我无法对其进行配置).
Encoding the parameter sap-client does not change this behavior. It seems AAD does not accept the parameter sap-client (which I can't configure away).
通过删除参数(如错误文本所示)来更改回复URL,以使其看起来像https://< SAP system>:< port>/sap/public/bc/sec/oauth2/client /redirect更改了行为,但并没有改善:现在我收到了错误消息 弹出窗口" AADSTS50011:请求中指定的回复网址与为应用程序配置的回复网址不匹配:< app ID". /span>"在login.microsoftonline.com中.
Changing the Reply URL by dropping the parameter (as indicated in the error text) so that it looks like https://<SAP system>:<port>/sap/public/bc/sec/oauth2/client/redirect changes the behavior, but not to the better: I now get the error message pop-up "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '<app ID'." in login.microsoftonline.com.
我的错误是什么?这里有没有指导如何处理URL参数?
What is my error? Is there any guidance how to deal with URL parameters here?
提前感谢,维塔斯
推荐答案
您要在哪里重定向用户?您应该通过添加主主页URL进行测试,以确保重定向有效.
您需要确保您的应用程序注册中的Reply URL与您的web.config或应用程序设置中的Reply URL/Redirect URI相匹配.此外,您的应用ID,租户ID和客户端机密(如果适用)需要与您的代码/配置中的内容和 该应用程序需要在适当的租户下注册.
Where are you trying to redirect the user? You should test by just adding your main homepage URL to ensure that the redirect is working.
You need to ensure that the Reply URL in your application registration matches the Reply URL/Redirect URI in your web.config or app settings. In addition, your app ID, tenant ID, and client secret (if applicable) need to match what's in your code/config and the application needs to be registered under the proper tenant.
我的博客文章 和随附的视频列出了所有这些设置.
My blog post and accompanying video have all of these settings listed.
这篇关于AADSTS50011:从SAP系统获得OAuth授予时出现问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
