单个授权请求中有多个资源 [英] Multiple resources in a single authorization request
问题描述
我们当前使用以下授权网址: https://login.microsoftonline. com/common/oauth2/authorize?resource = https%3A%2F%2Foutlook.office365.com
We currently use the following authorize url: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com
我们还希望使用Graph API,因此我添加了以下内容: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F%26https%3A%2F%2Fgraph.microsoft.com
We want to also use the Graph API, so I added the following: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F%26https%3A%2F%2Fgraph.microsoft.com
我在两种资源之间尝试了不同的定界符,但无法使其正常工作.每个资源分别工作.我希望一次支持一种以上的资源吗?
I've tried different delimiters between the two resources, but couldn't get it to work. Each one resource works separately. I hope that more than 1 resource at a time is supported?
推荐答案
我认为您要通过将多个值直接传递给resource参数来尝试执行的操作将不起作用(可能不是受支持的方案,但是我想请等到Microsoft的某人确认或我找到Azure AD文档完全说明这一点的同时,这是
I think what you're trying to do here by passing multiple values to resource parameter directly will not work (probably not a supported scenario, but I'll wait till someone from Microsoft confirms or I find Azure AD documentation stating exactly that. In the meanwhile, here's an old blog post that says something like this, but it's a blog talking about SSO and old from 2014 :), so don't want to rely solely on this.)
下面我将解释如何通过重用刷新令牌而不在同一个调用中传递两个资源ID的情况下使此方案工作. (注意:此方法适用于授权代码授予流,但不适用于基于JavaScript SPA的隐式授予流,因为在这种情况下,不会返回刷新令牌)
Below I'm explaining how you can make this scenario work by reusing refresh tokens and without passing both resource ids in same call. (NOTE: This approach will work for Authorization Code Grant Flow but not for Implicit grant flow like a JavaScript based SPA, because no refresh token is returned in that case)
- 一旦可从授权端点获得授权代码,您将转到Azure AD令牌端点,为单个资源请求令牌(根据您的应用程序要求,使用对端点的REST调用或类似ADAL库的AcquireToken方法之类的东西)
- 您会获得一个访问令牌+刷新令牌,作为对令牌端点调用的响应.访问令牌对于首次调用(例如graph.microsoft.com)中提到的资源有效
- 然后使用您刚获得的刷新令牌,您再次调用令牌端点(REST或ADAL AcquireTokenSilent,以便第二次没有弹出窗口要求用户提供凭据)并获得一个在此调用的情况下,通过指定第二个资源ID来获取第二个资源的令牌
- 这次获得的访问令牌对第二种资源有效.
- 实际上您可以继续执行此操作,因此在某些地方会显示名称多资源刷新令牌".尽管现在所有刷新令牌都应该是多资源或有效的,可用于请求您的应用程序同意的任何资源.
- Once the authorization code is available from authorize endpoint, you go to Azure AD token endpoint requesting token for a single resource (using REST call to endpoint or something like ADAL library AcquireToken method depending on your application requirements)
- You get back an access token + refresh token as a response to your call to token endpoint. The access token is valid for resource that was mentioned in first call (say graph.microsoft.com)
- Then using refresh token you just got, you make another call to token endpoint (REST or ADAL AcquireTokenSilent so that there isn't a popup to ask for user credentials this second time) and get a token for the second resource by specifying the 2nd resource id in case of this call
- The access token you get this time is valid for the 2nd resource.
- In fact you can continue doing this and hence the name Multi-resource refresh tokens shows up in some places. Although now all refresh tokens are supposed to be multi-resource or valid to be used for requesting any resource that your application has consent for.
可以帮助您进一步了解和实施的链接
