Azure AD自动添加了offline_access [英] Azure AD automatically added offline_access

问题描述

对于Microsoft OAuth 2.0授权代码授予，我们遇到了范围问题.

For Microsoft OAuth 2.0 auth code grant, we have encountered an issue with scopes.

当我们仅请求 User.Read范围时，要求我们的客户授予我们登录并阅读您的个人资料的权限，并访问您的随时获取数据.在没有声明的地方，我们需要offline_access范围.

When we requestion only the User.Read scope, our client is asked to grant permission to us for Sign you in and read your profile and Access your data anytime. Where we didn't state we need offline_access scope.

这仅在Microsoft切换到新的权限授予界面之后发生.还有其他人遇到相同的问题，或者我们做错了什么?

This is only happening after Microsoft switched to new permission grant interface. Have someone else encounter the same issue or we did something wrong?

我们传入的response_type仅是code.

我已经仔细检查过，我们注册的应用程序在https://apps.dev.microsoft.com下.

I have double checked, the application we registered is under https://apps.dev.microsoft.com.

以下是我们用于授权的URL.

The URL we use for authorizing is following.

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

正如我之前所说，我们通过查询传递的唯一作用域是User.Read.

As I said earlier, the only scope we pass in through query was User.Read.

编辑3

请求网址:(我已删除客户端ID.) https://login.microsoftonline.com:443/common/oauth2/v2.0/authorize?client_id={client_id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A19974%2Fapi%2Fv1%2Fmicrosoft%2Foauth2%2Fsession&response_mode=form_post&scope=User.Read&state=1527572151-IIZ0D&nonce=1527572151-IIZ0D&prompt=consent&domain_hint=organizations

Request URL: (I have removed client id.) https://login.microsoftonline.com:443/common/oauth2/v2.0/authorize?client_id={client_id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A19974%2Fapi%2Fv1%2Fmicrosoft%2Foauth2%2Fsession&response_mode=form_post&scope=User.Read&state=1527572151-IIZ0D&nonce=1527572151-IIZ0D&prompt=consent&domain_hint=organizations

用提琴手记录的响应:

POST http://localhost:19974/api/v1/microsoft/oauth2/会话 HTTP/1.1
主机:localhost:19974
连接:保持活动状态
内容长度:798
快取控制:max-age = 0
升级不安全请求:1
来源:null
内容类型:application/x-www-form-urlencoded
用户代理:Mozilla/5.0(Windows NT 10.0; Win64; x64)AppleWebKit/537.36(KHTML，如Gecko)Chrome/66.0.3359.181 Safari/537.36
接受:text/html，application/xhtml + xml，application/xml; q = 0.9，image/webp，image/apng，/; q = 0.8
接受编码:gzip，deflate，br
接受语言:en，en-NZ; q = 0.9，zh-TW; q = 0.8，zh; q = 0.7，zh-CN; q = 0.6
DNT:1

POST http://localhost:19974/api/v1/microsoft/oauth2/session HTTP/1.1
Host: localhost:19974
Connection: keep-alive
Content-Length: 798
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-NZ;q=0.9,zh-TW;q=0.8,zh;q=0.7,zh-CN;q=0.6
DNT: 1

代码= OAQABAAIAAADX8GCi6Js6SK82TsD2Pb7rUmGhJoHUB3devvTffqTlhRhg9XZ202zgEA8B37CzgkeLNVBc4FFstw3sTjNmYhKCYLE_jcl7KeCrtYgPVFYOKUuazv_B3vHKIM8ttwIzOlV_3GL4vqxPgjvXbWUdas5Sj9Z1X9fEBB63Wa1Ig0AnisnHk6qagIimFEPApYx473RzgIve2erM3r5fnX5Q0L1-pHppSFUJoWop6MPTkUh-umPzuXQgB280rHyUds3odS6_cJP6SbI70aLNOqHV_AnaV_VUZqQ6hLfBZMVKFMYMg_r_harPOU5EE2gf2d15FIKMsmjPRTR2vryaJRyg0TblF_jr-kWyeURwpbkPzsU6r3avEqM6dfTqhhASoXB4VmeZ2zw75pZgK4v8cfcd3J_tIpFRjcEY1TqPz5E3QrYQGfFSeBEEbjwqvj2X5_4VBvve7ABdrt3OCjid8E_837mLX-Fv5t3nk_nfnV0SY6XrFQQmoPClyqSyn44FTv_WFY7Af74SfeBrWDYSSiTuwphEmVTeT6U2R4Rs4wR8G0uHW2L53U-4UbkODd -_- JZYIahAohDAF-8TaguUwb4mOK497wsFOkgpmYz-np4MX3sTweSLmn6bAOy9Y91E3o4fuERzX9m9N_HBt64cv6k8JROKJqs6cx1Gb9EoYCRLCn2ihWi_crZh2PH5LACMCLWYgH0gAA&安培;状态= 1527572151-IIZ0D&安培; session_state = 1faeaab9-0f00-45cb-a776-356463a54684

code=OAQABAAIAAADX8GCi6Js6SK82TsD2Pb7rUmGhJoHUB3devvTffqTlhRhg9XZ202zgEA8B37CzgkeLNVBc4FFstw3sTjNmYhKCYLE_jcl7KeCrtYgPVFYOKUuazv_B3vHKIM8ttwIzOlV_3GL4vqxPgjvXbWUdas5Sj9Z1X9fEBB63Wa1Ig0AnisnHk6qagIimFEPApYx473RzgIve2erM3r5fnX5Q0L1-pHppSFUJoWop6MPTkUh-umPzuXQgB280rHyUds3odS6_cJP6SbI70aLNOqHV_AnaV_VUZqQ6hLfBZMVKFMYMg_r_harPOU5EE2gf2d15FIKMsmjPRTR2vryaJRyg0TblF_jr-kWyeURwpbkPzsU6r3avEqM6dfTqhhASoXB4VmeZ2zw75pZgK4v8cfcd3J_tIpFRjcEY1TqPz5E3QrYQGfFSeBEEbjwqvj2X5_4VBvve7ABdrt3OCjid8E_837mLX-Fv5t3nk_nfnV0SY6XrFQQmoPClyqSyn44FTv_WFY7Af74SfeBrWDYSSiTuwphEmVTeT6U2R4Rs4wR8G0uHW2L53U-4UbkODd-_-JZYIahAohDAF-8TaguUwb4mOK497wsFOkgpmYz-np4MX3sTweSLmn6bAOy9Y91E3o4fuERzX9m9N_HBt64cv6k8JROKJqs6cx1Gb9EoYCRLCn2ihWi_crZh2PH5LACMCLWYgH0gAA&state=1527572151-IIZ0D&session_state=1faeaab9-0f00-45cb-a776-356463a54684

编辑4

今天，在将项目升级到.Net Core 2.1时，我进行了一些测试.我已经注意到，即使从界面上它正在确认Access your data anytime，但是当我使用代码交换访问令牌时，它不包含刷新令牌.

Today, I have done few more testing while upgrading project to .Net Core 2.1. I have notice that even though from interface it is confirming Access your data anytime, but when I use code to exchange access token, it doesn't contain refresh token.

我要注意的另一件事是，当我将范围作为User.Read传递时，并且当我交换访问令牌时，范围又返回为:User.Read User.ReadBasic.All.这有点不一致，但不是大问题.

The other thing I have notice is, when I pass scope as User.Read, and when I exchange access token, the scope came back as: User.Read User.ReadBasic.All. This is a bit of inconsistent, but not big issue.

推荐答案

使用v2终结点与AAD帐户一起使用时，当前无法从初始同意屏幕中删除offline_access范围.请求令牌时，仍然仍然显式请求offline_access范围.

It’s not currently possible to remove the offline_access scope from the initial consent screen when using the v2 endpoint with an AAD account. When requesting tokens the offline_access scope is still explicitly requested though.

这篇关于Azure AD自动添加了offline_access的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！