用于Azure AD v2登录的JavaScript OAuth2流未提供access_token [英] JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token

问题描述

我正在使用 bell 和 office365提供程序正常工作，但似乎

I'm using bell and hapijs and trying to get the office365 provider to work, but it seems like the https://login.microsoftonline.com/common/oauth2/v2.0/token endpoint isn't giving me the access_token required for getting profile information.

这是我看到的OAuth 2.0流程:

This is the OAuth 2.0 flow I'm seeing:

首先，它重定向到

https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=[client-id]
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A5430%2Fapi%2Fv1%2Flogin%2Fazure-ad
&state=[state]
&scope=openid%20offline_access%20profile

在 oauth.js#L197

从Microsoft登录成功登录后，它将重定向到服务器，并且响铃对 https://login.microsoftonline.com/common/oauth2/v2.0/token 带有有效载荷

After a successful sign in from the Microsoft login, it redirects to the server and bell does a POST to https://login.microsoftonline.com/common/oauth2/v2.0/token with payload

{
  payload: 'grant_type=authorization_code&code=[code]&redirect_uri=http%3A%2F%2Flocalhost%3A5430%2Fapi%2Fv1%2Flogin%2Fazure-ad&client_id=[client-id]&client_secret=[client-secret]',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  }
}

在 oauth.js#L242

这反过来给了我以下答复

This in turn gives me the following response

{
  "refresh_token": "MCTrMmd...",
  "id_token": "eyJ0eXAiOiJKV..."
}

从 OAuth 2.0授权代码流文档，看来我应该得到更多类似的东西

From the OAuth 2.0 Authorization Code Flow documentation, it seems like I should be getting something more like

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "token_type": "Bearer",
    "expires_in": 3599,
    "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
    "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}

具体地说，我需要一个access_token，因为以下配置文件会收到请求( oauth.js#L270 )需要它

Specifically, I need an access_token, because the following profile get request (oauth.js#L270) requires it for

Authorization: 'Bearer ' + payload.access_token

即使在>调用/token端点都不给出我是一个access_token ，似乎/token请求在响应中获得了更多字段.

Even in Calling /token endpoint does not give me an access_token, it seems like the /token request gets more fields in the response.

请求中是否缺少某些内容?

Is there something I'm missing in the request?

推荐答案

范围openid，email，profile和offline_access似乎未返回access_token.

The scopes openid, email, profile, and offline_access don't seem to return an access_token.

添加User.Read范围确实提供了access_token.

贝尔，您将需要以下内容:

For bell, you would need something like:

server.auth.strategy('office365', 'bell', {
    provider: 'office365',
    scope: [
        'User.Read'
    ],
    password: 'something',
    clientId: 'clientId',
    clientSecret: 'clientSecret',
});

尽管如此，端点仍然存在如何获取Azure AD OAuth登录的登录用户配置文件?

Although, there are still issues with the endpoint that bell's office365 provider has, documented here: How do I get the logged in users profile for Azure AD OAuth logins?

通过 https://stackoverflow.com/a/49424859/111884 中的调查得出了这一点.

Figured this out from the investigation in https://stackoverflow.com/a/49424859/111884.

这篇关于用于Azure AD v2登录的JavaScript OAuth2流未提供access_token的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！