无法访问Azure上的OpenId UserInfo终结点(AADSTS90010:JWT令牌不能与UserInfo终结点一起使用) [英] Cannot access OpenId UserInfo endpoint on Azure (AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint)
问题描述
我正在尝试使用以下GET访问Office365 Azure租户上的用户的OpenId UserInfo终结点:
I'm trying to access the OpenId UserInfo endpoint for a user on an Office365 Azure tenant, with the following GET:
GET https://login.windows.net/common/openid/userinfo HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJ(...remainder deleted for brevity...)
Host: login.windows.net
响应失败,并显示"400错误请求",而更具体的错误是"AADSTS50063:凭据解析失败.AADSTS90010:JWT令牌不能与UserInfo端点一起使用"
The response fails with "400 Bad Request", and a more specific error "AADSTS50063: Credential parsing failed. AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint"
HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.5
x-ms-request-id: ef5c8a50-69b5-40f1-ac5f-9c0fc5180aa2
x-ms-gateway-service-instanceid: ESTSFE_IN_6
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
WWW-Authenticate: Bearer correlation_id="e5c613a0-0a21-40e1-9ef6- eacf77580608", error="invalid_request", error_codes="[50063, 90010]", error_description="AADSTS50063: Credential parsing failed. AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint.%0d%0aTrace ID: ef5c8a50-69b5-40f1-ac5f-9c0fc5180aa2%0d%0aCorrelation ID: e5c613a0-0a21-40e1-9ef6-eacf77580608%0d%0aTimestamp: 2015-02-20 14:13:42Z", timestamp="2015-02-20 14:13:42Z", trace_id="ef5c8a50-69b5-40f1-ac5f-9c0fc5180aa2"
Set-Cookie: x-ms-gateway-slice=productionb; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Fri, 20 Feb 2015 14:13:40 GMT
Content-Length: 0
所使用的不记名令牌是未过期的访问令牌,可用于其他操作,例如检索Exchange电子邮件.
The bearer token used is a non-expired access token that works fine for other operations, such as retrieving Exchange emails.
此外,当我在" https://openid userinfo终结点上使用相同的GET时://www.googleapis.com/plus/v1/people/me/openIdConnect "(作为gmail访问方案的一部分),效果很好
Furthermore, when I use an identical GET to the openid userinfo endpoint at "https://www.googleapis.com/plus/v1/people/me/openIdConnect" (as part of a gmail access scenario), it works fine
我在这里做错什么了吗?感谢您的帮助!
Am I doing anything wrong here? Thanks for any help!
一些额外的信息:
-已经尝试使用id_token代替access_token,但这没什么区别.
-Already tried using the id_token instead of the access_token, but this makes no difference.
-使用的Oauth范围是个人资料电子邮件"
-the Oauth scopes used are "profile email"
-请求的资源为" https://outlook.office365.com/"
-客户端应用程序是本机应用程序,并且已启用"Windows Azure AD"和"Office 365 Exchange Online"的所有委派权限
-the client application is a native app and has enabled all delegated permissions for both "Windows Azure AD" and "Office 365 Exchange Online"
推荐答案
Azure AD用户信息终结点当前不支持使用常规JWT访问令牌.相反,您可以通过在对令牌端点的请求中不指定任何资源来获取特定于用户信息的访问令牌.您可以将用户信息端点本身视为一种资源,它需要一种特殊的令牌格式.
The Azure AD user info endpoint does not support the use of the regular JWT access tokens at this time. Instead, you can acquire a user info specific access token by not specifying any resource in a request to the token endpoint. You can think of the user info endpoint as a resource in its own right, which requires a special token format.
例如,在授权码的情况下:
For example, in the authorization code case:
- 获取不带
resource
参数的https://login.windows.net/common/oauth2/authorize?...
请求,并获取授权码
使用authorization_code向 - POST请求,也没有
resource
参数.接收用户信息端点的访问令牌.
对 - GET请求,将标头中的访问令牌作为
Authorization: Bearer AAAB(...rest of token...)
传递
https://login.windows.net/common/oauth2/token
发出的https://login.windows.net/common/openid/userinfo
的- GET request to
https://login.windows.net/common/oauth2/authorize?...
without aresource
parameter, and acquire an authorization_code - POST request to
https://login.windows.net/common/oauth2/token
using the authorization_code, also without aresource
parameter. Receive an access token for the user info endpoint. - GET request to
https://login.windows.net/common/openid/userinfo
passing the access token in the header asAuthorization: Bearer AAAB(...rest of token...)
这篇关于无法访问Azure上的OpenId UserInfo终结点(AADSTS90010:JWT令牌不能与UserInfo终结点一起使用)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!