Azure AD在有效的访问令牌上返回Authentication_ExpiredToken [英] Azure AD returns Authentication_ExpiredToken on valid access token
问题描述
我得到您的访问令牌已过期。 当我调用 https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5 时,请先进行续订。
I'm getting Your access token has expired. Please renew it before submitting the request. when I call https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5 endpoint.
为防止出现任何愚蠢的问题-是的,我知道建议使用 Microsoft Graph 而不是 Azure广告图。我知道并正在使用它。但是对于我目前的情况,我需要准确地请求 Azure广告图。
To prevent any stupid questions - Yes, I know that using Microsoft Graph is recommended instead of Azure AD Graph. I'm aware of it and I'm using it. But for my current case I need to request exactly Azure AD Graph.
测试用例:
- 我已成功登录
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=。 ...并在响应中获取代码。 - 我成功交换了
代码并在https://login.microsoftonline.com/common/oauth2/v2.0/token上获得。access_token - 我成功地向任何
Microsoft Graph端点(即https)发出了请求://graph.microsoft.com/education/me/classes)。 - 我叫
https://graph.windows。 net / myorganization / oauth2PermissionGrants?api-version = 1.5。 - 我收到错误
Authentication_ExpiredToken您的访问令牌已过期。 - 我已成功向任何
Microsoft Graph端点进行了请求,因此access_token是有效的。
- I successfully login on
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=....and getcodein the response. - I successfully exchange
codeand getaccess_tokenonhttps://login.microsoftonline.com/common/oauth2/v2.0/token. - I successfully make requests to any
Microsoft Graphendpoint (iehttps://graph.microsoft.com/education/me/classes). - I call
https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5. - I get the error
Authentication_ExpiredTokenYour access token has expired. Please renew it before submitting the request. - I successfully make requests to any
Microsoft Graphendpoint, so theaccess_tokenis valid.
基于本文: https://docs.microsoft.com/azure/active-directory / develop / active-directory-appmodel-v2-overview ,我可以使用此访问令牌访问 Microsoft Graph API 和 Azure AD Graph API 。
Based on this article: https://docs.microsoft.com/azure/active-directory/develop/active-directory-appmodel-v2-overview, I can use this access token to access both Microsoft Graph API as well as Azure AD Graph API.
因此,我正在使用v2.0,该版本适用于以下对象: https://docs.microsoft.com/azure/active-directory/develop/活动目录协议oauth代码。
So, I'm using v2.0 which should work for those: https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code.
我在做什么错了?
谢谢!
推荐答案
使用过的令牌o调用Microsoft Graph不能调用Azure AD Graph API。
A token used to call the Microsoft Graph cannot be used to call the Azure AD Graph API.
当您查看来自Azure AD的访问令牌时,有一个名为<$ c的参数$ c> aud 代表受众群体。此属性告诉API接收令牌的令牌的有效受众。
When you look at the access token from Azure AD, there is a parameter called aud which stands for "audience". This property tells the API receiving the token the valid audience for that token.
如果我拥有一个API,则为 WebAPI1,并且我得到一个令牌,其中的受众是某种东西否则,例如 WebAPI2,我应该拒绝该令牌,而不是让客户端访问我的API。此行为的原因应该很明显,但是如果不进行此检查,则会引起重大的安全问题。
If I own an API, "WebAPI1", and I get a token where the audience is something else, like "WebAPI2", I should reject that token, and not give the client access to my APIs. The reasons for this behavior should be obvious, but it causes major security issues if this check does not occur.
aud 值是 https://graph.microsoft.com/ ,而Azure AD的 aud Graph API是 https://graph.windows.net/ 。
The aud value for the Microsoft Graph is https://graph.microsoft.com/ while the aud for Azure AD Graph API is https://graph.windows.net/.
在请求访问令牌时,您需要使用 scopes 参数指定要使用令牌的特定资源。可以在此处。
When requesting an access token, you need to specify which specific resource you want a token for using the scopes parameter. This and more information can be found here.
此处的解决方案是为不同的API获取不同的访问令牌,并且应该解决您的问题。
The solution here is to get a different access token for the different API, and your issues should be resolved.
让我知道这是否有帮助!
Let me know if this helps!
这篇关于Azure AD在有效的访问令牌上返回Authentication_ExpiredToken的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
