访问令牌不包括通过MSAL对API的访问 [英] Access Token do not include access for API with MSAL

问题描述

我在React App中使用 MSAL for JavaScript 针对Azure AD进行身份验证.我能够成功验证用户身份，并获得ID令牌和访问令牌.但是，检索到的访问令牌无法访问使用Azure AD保护的API.

I am using MSAL for JavaScript in a react app to authenticate against Azure AD. I am able to successfully authenticate user and get id token and access token. But the retrieved access token cannot access the API that is secured with Azure AD.

所有内容都在Azure AD端找到，因为我可以使用检索到的访问令牌通过dotnet核心Web应用程序与API通讯.

Everything is configured find on Azure AD side as I can use the retrieved access token to talk to the API using a dotnet core web app.

dotnet核心应用程序与react应用程序之间的区别是资源"属性.我不确定如何在MSAL的请求中包括它.

The difference between dotnet core app and react app is the "resource" attribute. I am not sure how to include that in the request with MSAL.

我的React代码:

userAgentApplication = new UserAgentApplication(
    "<clientid>",
    "<azureAdUrl>",
    this.authCallback,
    { redirectUri: "http://localhost:3000/", cacheLocation: "localStorage" }
  );

  authCallback(errorDesc, token, error, tokenType) {
    if (token) console.log(token);
  }


login() {
    this.userAgentApplication.loginRedirect().then(function(idToken) {

      this.userAgentApplication.acquireTokenSilent().then(
        function(accessToken) {
          console.log('Access Token: ' + accessToken);
        }
      );
    });
  }

对于一个dotnet核心应用程序，我使用的配置与在Azure AD应用程序中配置的两个URL相同，并且增加了一个.

With a dotnet core app, I am using same configurations as both URL's configured in Azure AD app with one addition.

.AddOpenIdConnect(o =>
                {
                    ....
                    o.Resource = "GUID of the API";
                });

我没有通过MSAL发送此资源参数.不确定如何发送，如果那是问题所在.

I am not sending this resource parameter with MSAL.Not sure how to send that and if that is that is the problem.

感谢您的帮助.

推荐答案

MSAL使用作用域的概念，而不是资源. 我对您的问题的印象是，这是一个v1 Web API(已在 Azure门户网站中的应用程序注册刀片中注册. ? 如果是这种情况，则您的资源范围可能是o.Resource +"/user_impersonation"

MSAL uses the notion of scopes, not resources. My impression reading your question is that this is a v1 Web API (registered with the App registration blade in the Azure portal ? if that's the case the scope for your resource is probably o.Resource+"/user_impersonation"

如果它是v2.0 API(已在 apps.dev.microsoft.com 中注册)或Azure门户但已注册新应用程序(预览)，然后在注册时提供范围

if it's a v2.0 API (registered with apps.dev.microsoft.com) or the Azure portal but with the New Application registration (Preview), then the scope is provided at registration

对于ASP.NET Core应用程序，您可能希望查看以下示例:

For an ASP.NET Core application you might want to have a look at the following sample: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2, and probably this branch aspnetcore2-2-signInAndCallGraph

这篇关于访问令牌不包括通过MSAL对API的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！