用于Azure AD v2登录的JavaScript OAuth2流未提供access_token [英] JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token
问题描述
我正在使用 bell 和 office365提供程序正常工作,但似乎
I'm using bell and hapijs and trying to get the office365 provider to work, but it seems like the https://login.microsoftonline.com/common/oauth2/v2.0/token endpoint isn't giving me the access_token
required for getting profile information.
这是我看到的OAuth 2.0流程:
This is the OAuth 2.0 flow I'm seeing:
首先,它重定向到
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=[client-id]
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A5430%2Fapi%2Fv1%2Flogin%2Fazure-ad
&state=[state]
&scope=openid%20offline_access%20profile
从Microsoft登录成功登录后,它将重定向到服务器,并且响铃对 https://login.microsoftonline.com/common/oauth2/v2.0/token 带有有效载荷
After a successful sign in from the Microsoft login, it redirects to the server and bell does a POST to https://login.microsoftonline.com/common/oauth2/v2.0/token with payload
{
payload: 'grant_type=authorization_code&code=[code]&redirect_uri=http%3A%2F%2Flocalhost%3A5430%2Fapi%2Fv1%2Flogin%2Fazure-ad&client_id=[client-id]&client_secret=[client-secret]',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
}
}
这反过来给了我以下答复
This in turn gives me the following response
{
"refresh_token": "MCTrMmd...",
"id_token": "eyJ0eXAiOiJKV..."
}
从 OAuth 2.0授权代码流文档,看来我应该得到更多类似的东西
From the OAuth 2.0 Authorization Code Flow documentation, it seems like I should be getting something more like
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}
具体地说,我需要一个access_token
,因为以下配置文件会收到请求( oauth.js#L270 )需要它
Specifically, I need an access_token
, because the following profile get request (oauth.js#L270) requires it for
Authorization: 'Bearer ' + payload.access_token
即使在>调用/token端点都不给出我是一个access_token ,似乎/token
请求在响应中获得了更多字段.
Even in Calling /token endpoint does not give me an access_token, it seems like the /token
request gets more fields in the response.
请求中是否缺少某些内容?
Is there something I'm missing in the request?
推荐答案
范围openid
,email
,profile
和offline_access
似乎未返回access_token
.
The scopes openid
, email
, profile
, and offline_access
don't seem to return an access_token
.
添加User.Read
范围确实提供了access_token
.
贝尔,您将需要以下内容:
For bell, you would need something like:
server.auth.strategy('office365', 'bell', {
provider: 'office365',
scope: [
'User.Read'
],
password: 'something',
clientId: 'clientId',
clientSecret: 'clientSecret',
});
尽管如此,端点仍然存在如何获取Azure AD OAuth登录的登录用户配置文件?
Although, there are still issues with the endpoint that bell's office365 provider has, documented here: How do I get the logged in users profile for Azure AD OAuth logins?
通过 https://stackoverflow.com/a/49424859/111884 中的调查得出了这一点.
Figured this out from the investigation in https://stackoverflow.com/a/49424859/111884.
这篇关于用于Azure AD v2登录的JavaScript OAuth2流未提供access_token的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!