调用/ token端点不会给我access_token [英] Calling /token endpoint does not give me an access_token
问题描述
在此处遵循指南:使用OpenID Connect进行Web登录->获取令牌。
我正在尝试向访问令牌,
I'm trying to make a post request to access a token,
HTTP POST:
url: https://login.microsoftonline.com/ [az-directory] .onmicrosoft.com / oauth2 / v2.0 / token? p = B2C_1_SiUpIn
HTTP POST: url: https://login.microsoftonline.com/[az-directory].onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_SiUpIn
帖子正文:
client_id:[ Azure Function App的client_id]
client_id: [client_id for Azure Function App]
grant_type:授权代码
grant_type: authorization_code
作用域: https:// [url-to-azure-app-api-endpoint] openid offline_access
scope: https://[url-to-azure-app-api-endpoint] openid offline_access
代码:[从登录网址中检索到的代码]
code: [code retrieved from login url]
redirect_u ri: http:// [redirect-uri-used-in-login]
redirect_uri: http://[redirect-uri-used-in-login]
client_secret:[天蓝色函数中的秘密客户端ID]
client_secret: [secret client id in azure functions]
我的回答是:
{
id_token:...
token_type:...
not_before:...
id_token_expires_in:...
profile_info:...
refresh_token:....
refresh_token_expires_in:...
}
尽管链接说这就是我想要的,但请求正文都不是access_token。
None of the request body is an access_token despite the link saying that's what I would get.
我不确定如何从此处继续,是否可能会丢失我的Azure AD B2C应用程序与功能性应用程序之间的某种许可?
I'm not sure how to proceed from here, is it possible I'm missing some sort of permission between my Azure AD B2C app and the Functions App it's meant to secure?
编辑::经进一步调查,我发现以下内容:
edit: upon further investigation I found the following:
您使用的登录网址会影响生成的结果您可以做的代码令牌(有意义),我正在尝试类似的方法:
The login url you use affects what the resulting code token you get can do (makes sense), I'm trying something like:
> https:/ /login.microsoftonline.com/[ad 目录
名称] .onmicrosoft.com / oauth2 / v2.0 / authorize?p = B2C_1_B2C& client_id = [client_id]& nonce = defaultNonce& redirect_uri = http:// localhost:3000& scope = https:// [api
uri] openid offline_access& response_type = code + id_token& prompt = login
https://login.microsoftonline.com/[ad directory name].onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_B2C&client_id=[client_id]&nonce=defaultNonce&redirect_uri=http://localhost:3000&scope=https://[api uri] openid offline_access&response_type=code+id_token&prompt=login
如果我发出发布请求,则显示结果代码
With the resulting code if I make a post request to the token endoint as described above I get a refresh token and an ID token.
但是,我还发现我不需要发送所有的post参数。链接,我只通过传递grant_type,代码和client_secret就可以了。由于登录调用似乎实际上控制了使用授权代码可以访问的内容的范围,因此它返回了这种说法,但我不确定为什么上面的链接说明您需要传递client_id,scope和redirect_uri。
However I also found that I don't need to send all the post parameters per the link, I get away with just passing grant_type, code and client_secret. Since the login call seems to actually control the scope of what you can access with the authorization code it returns this sort of makes sense but I'm not sure why the link above says you need to pass client_id, scope and redirect_uri.
我可以使用此发帖请求中的id令牌作为授权承载令牌传递到我的azure函数应用中,也可以使用refresh令牌调用refresh令牌端点进行刷新我可以从结果中获取并继续在我的azure函数应用程序中使用的id令牌。
I can use the id token from this post request as an authorization bearer token to pass into my azure functions app and I can use the refresh token to call into the refresh token endpoint to refresh the id token which I can grab from the result and continue to use in my azure functions app.
所以我的问题变成了:这可以接受吗?为什么我的发现与上面的链接应该说的有很大不同?
So my question becomes: Is this acceptable? Why are my findings so much different to what the link above says should be possible? Do I need an access token at all anymore?
推荐答案
关于问题的第一部分:
我不确定如何从此处继续,是否可能会丢失我的Azure AD B2C应用程序和Functions应用程序之间的某种权限安全吗?
I'm not sure how to proceed from here, is it possible I'm missing some sort of permission between my Azure AD B2C app and the Functions App it's meant to secure?
如果不使用策略,我个人可以连接到Azure AD,甚至可以连接到Azure B2C。但是,如果我使用策略,则不会获得access_token。
Personally I can connect to Azure AD and I can even connect to Azure B2C if I do not use a policy. But if I use a policy then I do not get the access_token.
根据 azure b2c文档,我们可以使用 openid连接协议以便连接到天蓝色。
According to the azure b2c documentation, we can use the openid connect protocol in order to connect to azure.
,然后在成功的令牌响应是规范的一部分:
And in the successfull token response part of specification it's said :
在收到并验证了来自客户的有效授权令牌后, ,授权服务器将返回一个成功的响应,其中包含ID令牌和访问令牌。
After receiving and validating a valid and authorized Token Request from the Client, the Authorization Server returns a successful response that includes an ID Token and an Access Token.
所以我认为您不是遗漏了一些东西,但从我的角度来看,因为Azure B2C响应中没有acccess_token,我们可以说Azure B2C不符合openid连接。
,我认为应该可以使用工作环境在 openid作用域中添加特定作用域,以便像azure文档所建议的那样具有access_token:
Now, I think that it should be possible to use a work arround in adding a specific scope to the "openid" scope in order to have an access_token like it's suggested by the azure documentation :
OpenID Connect UserInfo终结点未在其上实现v2.0端点。但是,可以从Microsoft Graph / me端点获得在此端点上可能会收到的所有用户配置文件数据。
The OpenID Connect UserInfo endpoint is not implemented on the v2.0 endpoint. However, all user profile data that you potentially would receive at this endpoint is available from the Microsoft Graph /me endpoint.
v2.0终结点允许在Azure AD中注册的第三方应用发布针对Web API等安全资源的访问令牌。有关设置应用程序以颁发访问令牌的更多信息,请参见如何在v2.0端点上注册应用程序。在v2.0端点上注册应用程序后,开发人员可以指定访问级别(称为范围),可以为其发出访问令牌。例如,Microsoft Graph API中定义的calendars.read范围授予读取用户日历的权限。
The v2.0 endpoint allows third party apps that are registered with Azure AD to issue access tokens for secured resources such as Web APIs. For more information about setting up an application to issue access tokens, please see How to register an app with the v2.0 endpoint. Upon registering the application with the v2.0 endpoint, the developer can specify levels of access, called scopes, for which access tokens may be issued. For example, the calendars.read scope defined in the Microsoft Graph API grants permission to read the user's calendar.
这篇关于调用/ token端点不会给我access_token的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
