AADSTS50020：我们无法从此api版本为Microsoft帐户发行令牌 [英] AADSTS50020: We are unable to issue tokens from this api version for a Microsoft account

问题描述

我正在编写一个简单的C＃移动应用程序，该应用程序已在

下面是带有smtp地址混淆的传出请求。

HTTPS： //login.live.com/ppsecure/post.srf?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIARWPsU7CQABAubaQghqRaIIbAy6aa3uFttwlDmog0gEGXSQu19JCY8thbcU4ObjLBzg5OpjoYAyf4MRiYtg00RhmTRzF5SVvey8zV5JQScISQqqeA2idRxIiRYoMS8cUQ8VANixj14HUxSp0DAuXKmXVsh0tzGWyaDi_ix-FndGH_zZprV09ATAG4AuACw5MuMXmVhx11X-w0Dt3plzSZx2vd8sXu1HUPyGyzOLIZ-xIYq7r2Y5ks0AOqOdLoUPbD3xq5gHrjfiihjVLN7QStPU2hmWDupAirQJtza5gRbeo5rZfeTAWwFRYEfnsQj5d-BQVnohiKsvlE4XErwBukrPk7aX3-7vD5eblwc_1y_d-4jkp980qik_7x11crwaBKesmrQ- qhhm2VKaE-2Fto7XXsNBZo9bZRAQNU2CUXo3DHvGcyCWDDmF0tkhUSSGMWX81& wfresh = 0& id =& pcexp = false&用户名= xyz％40hotmail.com& popupui = 1& contextid = 70F2DEC815 ae56ce1da5a258f& pid = 0

这是我使用的代码：

 字符串授权= https://login.microsoftonline.com/common/oauth2/v2.0/authorize; 
 
 PlatformParameters authParms = new PlatformParameters（PromptBehavior.Always，null）; 
 
 AuthenticationContext authContext = new AuthenticationContext（authority，TokenCache.DefaultShared）; 
 
 AuthenticationResult结果=等待authContext.AcquireTokenAsync（
 https://outlook.office.com/mail.read，
 clientId，
新Uri（redirectUri ），
 authParms）; 
  

解决方案

这里有三件事：

1. 使用 https：/创建的应用程序/apps.dev.microsoft.com 网站
   定位到AAD v2.0终结点，而不是v1.0终结点（它们是协议的不同版本）




2. ADAL不支持V2.0端点。它由MSAL支持。但是，MSAL的开发正在进行中，因此我认为您还不能使用它（您应该能够在几周内，甚至到那时我都不会成为GA）




3. V2.0终结点支持直接通过MSA帐户进行身份验证，因此，MSAL而不是ADAL支持直接对MSA帐户进行身份验证。 ADAL仅支持ADFS和AAD

我了解您要通过MSA帐户进行身份验证（实时），因此您需要使用MSA。如果可以的话，我建议您稍等

注意：
有点微妙，但是您也可以拥有 AAD来宾帐户是Azure Active Directory中的MSA帐户（您使用现有的电子邮件地址创建用户，该电子邮件地址可以是MSA）。 V1.0端点支持该功能，因此也支持ADAL，但是您必须在AAD租户中使用这些电子邮件地址创建用户，这可能不是您想要的。还有一些MSA无法使用的流程（例如，当用户进行身份验证以使用本身使用Web服务的Web服务时：代表流程），因此我不建议使用此选项。

I'm writing a simple C# mobile application which I've registered at https://apps.dev.microsoft.com/ to access live.com/outlook.com mailboxes (not outlook 365 mbx). I'm using ADAL for authenticating using the client id and redirect URI from the registration. I'm not sure if I should be generating a password from the registration site and how I should be using the generated password. What I'm experiencing is that I get the usual prompt to authenticate, I provide my credentials, I see a token being returned (RequestSecurityTokenResponse) with my data (firstname, lastname, etc.) meaning that the authentication process was successful and yet the authentication process ends with error "AADSTS50020: We are unable to issue tokens from this api version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this."

I not sure on how to interpret the error: is the error saying I'm not using v2.0 of the protocol or is it saying I'm not calling v2.0 of their authentication endpoint.

The difficulty I'm facing is that Microsoft has changed so many times protocols and interfaces and has mixed up live.com/outlook.com and azure/office365 that in the end I don't know what I should be providing as the authority url and the resource uri to access live.com/outlook.com mailboxes.

What I noticed is that apart the authentication UI I'm not getting the UI where I should be authorizing the application to act on my behalf.

Below is the outgoing request with the smtp address obfuscated.

https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIARWPsU7CQABAubaQghqRaIIbAy6aa3uFttwlDmog0gEGXSQu19JCY8thbcU4ObjLBzg5OpjoYAyf4MRiYtg00RhmTRzF5SVvey8zV5JQScISQqqeA2idRxIiRYoMS8cUQ8VANixj14HUxSp0DAuXKmXVsh0tzGWyaDi_ix-FndGH_zZprV09ATAG4AuACw5MuMXmVhx11X-w0Dt3plzSZx2vd8sXu1HUPyGyzOLIZ-xIYq7r2Y5ks0AOqOdLoUPbD3xq5gHrjfiihjVLN7QStPU2hmWDupAirQJtza5gRbeo5rZfeTAWwFRYEfnsQj5d-BQVnohiKsvlE4XErwBukrPk7aX3-7vD5eblwc_1y_d-4jkp980qik_7x11crwaBKesmrQ-qhhm2VKaE-2Fto7XXsNBZo9bZRAQNU2CUXo3DHvGcyCWDDmF0tkhUSSGMWX81&wfresh=0&id=&pcexp=false&username=xyz%40hotmail.com&popupui=1&contextid=70F2DEC5506FD639&bk=1491815919&uaid=480c9031b6394304bae56ce1da5a258f&pid=0

Here is the code I've used:

string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";

PlatformParameters authParms = new PlatformParameters(PromptBehavior.Always, null);

AuthenticationContext authContext = new AuthenticationContext(authority, TokenCache.DefaultShared);

AuthenticationResult result = await authContext.AcquireTokenAsync(
    "https://outlook.office.com/mail.read",
    clientId,
    new Uri(redirectUri),
    authParms);

解决方案

There are three things here:

1. Applications created with the https://apps.dev.microsoft.com web site target the AAD v2.0 endpoint, not the v1.0 endpoint (those are different versions of the protocol)

2. The V2.0 endpoint is not supported by ADAL. It is supported by MSAL. However the development of MSAL is in progress, so I don't think that you can quite use it yet (you should be able to, in a few weeks, and even then I don't think it will be GA)

3. Authenticating with MSA Accounts directly is supported from the V2.0 endpoint and therefore MSAL, not with ADAL. ADAL only supports ADFS and AAD

I understand that you want to authenticate with MSA accounts (live), and therefore you need to use MSA. I would advise you wait a bit, if you can

Note: This is a bit subtle, but you can also have AAD guest accounts which are MSA accounts in an Azure Active Directory (you create a user with an existing email addresses, which could be an MSA). That is supported by the V1.0 endpoint - and therefore ADAL, but you have to create users with these email addresses in the AAD tenant, which is probably not what you want. And also there are flows where MSAs won't work (for instance when a user authenticate to use a web service which itself uses a web service: the on-behalf-of flow), so I would not recommend this option.

这篇关于AADSTS50020：我们无法从此api版本为Microsoft帐户发行令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！