向现有授权添加其他Windows Azure AD委托权限 [英] Adding an additional Windows Azure AD delegated permission to an existing grant
问题描述
我有一个正在生产的Windows Azure AD应用程序,该应用程序通过OAuth2对用户进行身份验证.当前,它仅请求一个委派权限-启用登录并读取用户的个人资料".我正在向我们的应用程序添加一个新功能,该功能将使用Office 365 API,这显然需要由该应用程序请求其他委派权限.
I've got an in-production Windows Azure AD App which authenticates users via OAuth2. Currently, it requests only one delegated permission - "Enable sign on and read users' profiles". I'm adding a new feature to our application which will make use of the Office 365 API(s), and this obviously requires additional delegated permissions to be requested by the App.
我已经更新了我们的App清单,并且同意我们的App的新用户同时授予了登录和Office 365委派的权限,并且令牌终结点响应scope参数为UserProfile.Read Mail.Read.但是,对于仅在其请求登录委派权限时同意我们的应用程序的现有用户,Windows Azure AD不会提示他们下次登录时授予其他Office 365委派权限.令牌端点响应scope参数仍然以UserProfile.Read的形式通过,即仅登录委托权限.
I've updated our App manifest, and new users who give consent to our App grant both the sign-in and the Office 365 delegated permissions, and the token endpoint response scope param is UserProfile.Read Mail.Read as expected. However, for existing users who gave consent to our App when it only requested the sign-in delegated permission, Windows Azure AD doesn't prompt them to grant the additional Office 365 delegated permission the next time they log in. For these users, the token endpoint response scope param still comes through as UserProfile.Read, i.e. the sign-in delegated permission only.
我知道我可以将?prompt=consent传递给https://login.microsoftonline.com/common/oauth2/authorize,这将迫使用户授予所有请求的委派权限,但这有点大刀阔斧的做法,因为它每次都会询问所有人我想做的所有事情是在请求的和授予的委派权限之间存在差异的情况下捕获这些用户的.在我要维护的SSO体验中,它不能很好地发挥作用.
I know I can pass ?prompt=consent to https://login.microsoftonline.com/common/oauth2/authorize which will force a user to grant all requested delegated permissions, but that's a bit of a sledgehammer approach because it would ask everyone, every time, when all I want to do is catch these users where there's a difference between requested and granted delegated permissions. It wouldn't play well in the SSO experience I'm trying to maintain.
使用Google OAuth,范围将作为授权请求中的查询参数传递,并提示用户授予对所有尚未授予的请求范围的同意.对于将是所有作用域的新用户,对于将是新添加的作用域的现有用户,此后不需要额外的同意,因为届时将授予所有作用域-这正是我要使用Windows Azure达到的目标广告.
With Google OAuth, scopes are passed as query params in the authorisation request, and the user is prompted to grant consent for any scopes requested that haven't already been granted. For new users that would be all scopes, for existing users that would be the newly added scopes, and after that no additional consent would be required because all scopes would then have been granted - that's exactly what I'm trying to achieve with Windows Azure AD.
是否可以通过某种方式强制将应用清单中配置的委派权限强制执行,即在未授予这些委派权限的情况下登录才能完成?
Is there some way enforce the delegated permissions configured in the App manifest as mandatory, i.e. sign-in will not complete without these delegated permissions having been granted?
推荐答案
Azure人员正在努力在每个请求中实现传递范围.同时,他们提供的指导是您不要在每个请求中都包含prompt=consent.相反,如果您收到未经授权的错误,则可以使用prompt=consent重新请求.
The Azure folks are working on implementing passing scopes in each request. In the meantime, the guidance they've given is that you do not include prompt=consent with every request. Instead, if you get an Unauthorized error, then you fall back on re-requesting with prompt=consent.
这篇关于向现有授权添加其他Windows Azure AD委托权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
