为什么带有ClientCredential的AcquireToken会因invalid_client(ACS50012)而失败? [英] Why does AcquireToken with ClientCredential fail with invalid_client (ACS50012)?
问题描述
为什么我的Azure AD应用程序不允许oauth client_credentials授予?
我想使用Azure Graph API,但首先我需要一个oauth令牌。为了获得令牌,我试图使用Microsoft.IdentityModel.Clients.ActiveDirectory aka ADAL版本1.0.3(来自NuGet)。
我正在使用带有ClientCredential对象的AuthenticationContext.AcquireToken。 (我无法使用提示用户登录的重载,因为我正在编写服务而不是应用程序。)
我将Azure AD Web应用程序配置为在各种教程/示例(例如 ADAL-服务器到服务器身份验证)。
我的代码如下:
AuthenticationContext ac = new AuthenticationContext( https://login.windows.net/thommmondago.onmicrosoft.com);
ClientCredential cc = new ClientCredential( 41151135-61b8-40f4-aff7-8627e9eaf853,clientSecretKey);
AuthenticationResult结果= ac.AcquireToken( https://graph.windows.net,cc);
AcquireToken 行引发异常:
sts_token_request_failed:对安全令牌服务的令牌请求失败。检查InnerException了解更多详细信息
内部异常是WebException,收到的响应看起来像是oauth错误:
{ error: invalid_client,
error_description: ACS50012:验证失败。
error_codes:[50012],
timestamp: 2014-03-17 12:26:19Z,
trace_id: a4ee6702-e07b-40f7-8248- 589e49e96a8d,
correlation_id: b304af2e-2748-4067-99d0-2d7e55b121cd}
绕过ADAL并在oauth端点上使用curl也会产生相同的错误。
如果我使用发现的此处:
AuthenticationContext ac = new AuthenticationContext( https://login.windows.net/graphDir1.onmicrosoft.com) ;
ClientCredential cc = new ClientCredential( b3b1fc59-84b8-4400-a715-ea8a7e40f4fe, FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg / JH / Jxiw =);
AuthenticationResult结果= ac.AcquireToken( https://graph.windows.net,cc);
所以我的代码不是错误。我认为这是我的Azure AD错误,或者ClientCredential参数错误。
是Windows Azure中的错误,我的代码或配置没有任何问题。
在Microsoft修复了Azure中的问题之后,我不得不创建一个新应用程序并启动
< blockquote>
我们在昨天结束的几天时间范围内创建的应用程序出现了一些错误。我们正在继续修复这些应用程序,但完成该操作时我的评价还不高。我为此感到抱歉。
您能尝试创建一个新的应用程序并使用新的客户端ID重新命名该操作吗?
谢谢
Why won't my Azure AD application allow an oauth client_credentials grant?
I want to use the Azure Graph API, but first I need an oauth token. To get the token, I am trying to use Microsoft.IdentityModel.Clients.ActiveDirectory aka ADAL version 1.0.3 (from NuGet).
I'm using the overload of AuthenticationContext.AcquireToken that takes a ClientCredential object. (I can't use the overload that prompts the user to login because I'm writing a service, not an app.)
I configured my Azure AD web application as described in various tutorials/samples (e.g. ADAL - Server to Server Authentication).
My code looks like:
AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/thommmondago.onmicrosoft.com");
ClientCredential cc = new ClientCredential("41151135-61b8-40f4-aff7-8627e9eaf853", clientSecretKey);
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);
The AcquireToken line throws an exception:
sts_token_request_failed: Token request to security token service failed. Check InnerException for more details
The inner exception is a WebException, and the response received looks like an oauth error:
{ "error":"invalid_client",
"error_description":"ACS50012: Authentication failed."
"error_codes":[50012],
"timestamp":"2014-03-17 12:26:19Z",
"trace_id":"a4ee6702-e07b-40f7-8248-589e49e96a8d",
"correlation_id":"b304af2e-2748-4067-99d0-2d7e55b121cd" }
Bypassing ADAL and using curl with the oauth endpoint also gives the same error.
My code works if I use the details of the Azure application that I found here:
AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/graphDir1.onmicrosoft.com");
ClientCredential cc = new ClientCredential("b3b1fc59-84b8-4400-a715-ea8a7e40f4fe", "FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=");
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);
So it's not an error with my code. I think it's either an error with my Azure AD, or I've got the ClientCredential parameters wrong.
This turned out to be an error in Windows Azure, there was nothing wrong with my code or config.
After Microsoft fixed the problem in Azure, I had to create a new application and it started working.
Hi,We are seeing some errors with applications created in a several day time range, ending yesterday. We are continuing to fix up these applications but I don't have a good eta when this will be done. I'm apologize for the impact here.
Can you try creating a new application and retying the operation with the new client id?
thanks
这篇关于为什么带有ClientCredential的AcquireToken会因invalid_client(ACS50012)而失败?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
