样本活动目录-dotnet-webapi-onbehalfof无法正常工作 [英] Sample active-directory-dotnet-webapi-onbehalfof not working

问题描述

我正在尝试以单租户模式运行active-directory-dotnet-webapi-onbehalfof示例.我已经将Web应用程序服务和本机应用程序客户端注册为租户的全局管理员.当我运行示例时，作为租户中的用户，只有在弹出同意后(我是用户第一次)，我才能在客户端中获得令牌，然后将其调用到服务，但此处失败，如下所示.这是为什么?文档说，当租户管理员注册该应用程序时，是否不需要进一步的同意?我认为当远程Webapi尝试获取OBO令牌时，无法表示同意.似乎有问题... AAD小组，请说明应如何使用OBO功能.

I am trying to run the active-directory-dotnet-webapi-onbehalfof sample in single tenant mode. I've registered the web app service and the native app client as global admin for the tenant. When I run the sample, as a user in the tenant, I can get a token in the client only after consent pops up (first-time for user), and then call makes it to the service, but there it fails with below. Why is that? Documentation says that when a tenant admin registers the application no further consent is needed? I don't think it is possible to give consent when a remote webapi tries to get OBO token. Something seems buggy... AAD team, please clarify how the OBO feature should be used.

AADSTS65001:用户或管理员不同意使用ID为'b824502e-fe8a-4770-bd98-8d65a07efcc3'的应用程序.发送对此用户和资源的交互式授权请求. 跟踪ID:ad7843d0-be4e-4098-8f7c-43c8e5505cfc 相关编号:140466a4-7250-429f-8843-dbd4f63dc60e 时间戳:2016-11-25 21:46:13Z

AADSTS65001: The user or administrator has not consented to use the application with ID 'b824502e-fe8a-4770-bd98-8d65a07efcc3'. Send an interactive authorization request for this user and resource. Trace ID: ad7843d0-be4e-4098-8f7c-43c8e5505cfc Correlation ID: 140466a4-7250-429f-8843-dbd4f63dc60e Timestamp: 2016-11-25 21:46:13Z

推荐答案

使用Azure管理门户(manage.windowsazure.com)作为租户管理员注册应用程序时，是的，只要您随后在同一租户中检索令牌.

When you register an application using the Azure Management Portal (manage.windowsazure.com) as a tenant administrator, then yes you should not get consent, as long as subsequent tokens are being retrieved in that same tenant.

因为您看到本机客户端应用程序的同意，然后收到该错误消息，所以我们必须假定未满足某些条件，这会抑制您的应用程序的同意.

Because you are seeing consent for the native client app, and then getting that error message, we must assume that something is not being satisfied which would suppress consent for your app.

要解决此问题，我的建议是仅发起一个交互式授权请求，就像错误消息所暗示的那样.您可以通过为您的应用程序生成一个登录URL来实现，并带有一个特定的查询字符串，该字符串将强制立即征得租户的广泛同意(prompt = admin_consent).

To resolve this issue, my recommendation is to simply initiate an interactive authorization request just like the error message implies. You can do this by generating a log-in url for your application, with a specific query string that will force prompt tenant wide consent (prompt=admin_consent).

这是您需要完成的URL的框架:

Here is the skeleton for the URL you need to complete:

https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&resource=<ResourceURI>&prompt=admin_consent

您可以对所有注册的应用程序执行此操作，并且不应该遇到同意问题(假设您确实确实以租户管理员身份登录).

You can do this for all the applications you registered, and you should not run into consent issues (assuming you are indeed signing in as a tenant admin).

我希望这可以解决您的问题.

I hope this resolves your issue.

这篇关于样本活动目录-dotnet-webapi-onbehalfof无法正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！