Skype for Business在线身份验证错误-403权限被拒绝 [英] Skype For Business Online Authentication Error - 403 Permission Denied
问题描述
您好,Microsoft/Azure/Skype专家
Hello Microsoft/Azure/Skype experts,
我的任务是从macOS应用程序(本机)访问Skype for Business Online帐户中的状态数据. 不幸的是,当我访问自动发现请求时,总是遇到403错误,并且永远都没有获得到应用程序资源的链接
I'm tasked with accessing presence data from Skype For Business Online accounts from my macOS app (native). I'm unfortunately stuck and i always get a 403 error when i access the autodiscover request and never get the link to the applications resource
我一直在关注本文档 https://docs.microsoft.com/zh-cn/skype- sdk/ucwa/authenticationusingazuread
I have been following this documentation https://docs.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread
步骤1 我们已使用Office 365帐户凭据在Azure管理门户中注册了该应用程序.
STEP 1 We have registered the app in the Azure Management Portal using our Office 365 account credentials.
- 我们使用了自定义重定向URL( http://localhost )
- 在清单中将允许隐式流"设置为true
- 我们预先配置了Skype for business所需的权限 在线的
- We have used custome redirect URL (http://localhost)
- Allow Implicit Flow is set to true in manifest
- We pre-configure the permissions needed for Skype for business online
第2步 按照文档中的说明发出GET,以启动登录和授权检查.
STEP 2 Issuing a GET as specified in the documentation to initiate sign in and authorization check.
This returns a 200 OK.
第3步 如文档中所述,我们获得了自动发现URL. 这就是我得到的-我使用标记为红色的域.
STEP 3 We got the Auto discover URL as described in the documentation. This is what i get - i use the domain marked in RED.
第4步 根据文档,他们要求我这样做
STEP 4 As per the documentation, they ask me to do this
使用隐式授权流请求访问令牌 因此,我按照说明发出了GET
Requesting an access token using implicit grant flow So i issue a GET as described
https://login.microsoftonline.com/oauth2/authorize ? response_type = id_token& client_id = ######-4d41-485e-871f-0a22aa79e52b & redirect_uri = http://localhost & state = 8f0f4eff-360f-4c50-acf0-99cf8174a58b & resource = https://webdirin1.online.lync.com
https://login.microsoftonline.com/oauth2/authorize? response_type=id_token &client_id=######-4d41-485e-871f-0a22aa79e52b &redirect_uri=http://localhost &state=8f0f4eff-360f-4c50-acf0-99cf8174a58b &resource=https://webdirin1.online.lync.com
现在这会显示登录页面,我先登录然后抛出错误
Now this shows the sign in page, i sign in and then it throws an error
AADSTS90014%3a+The+required+field+%27nonce%27+is+missing.
我研究了此错误,但无法修复. 因此,经过大量研究并查看了此Microsoft文档LINK( https://docs.microsoft.com/zh-cn/azure/active-directory/develop/v2-permissions-and-consent#requesting-individual-user-consent ),显然还有另一种获取不记名令牌的方法.
I researched and could not fix this error. So after lots of research and looking at this Microsoft documentation LINK (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-individual-user-consent) , apparently there is another way of getting the bearer token.
步骤4-第二尝试
然后,我通过发送Skype for Business的SCOPE参数来征求个人用户的同意. 然后,我向
I then Request individual user consent by sending the SCOPE parameter for Skype for Business. I then issue a GET request to
这将返回一个访问代码,我将在下一步中使用该访问代码来获取令牌
This returns an access code which i use in next step to get the TOKEN
第5步-获取承载令牌
将POST发布到以下URL https://login.microsoftonline.com/common/oauth2/v2.0/令牌 在POST正文中跟踪数据
Issue a POST to following URL https://login.microsoftonline.com/common/oauth2/v2.0/token With the following data in POST body
"grant_type":"authorization_code","client_id": "######-4d41-485e-871f-0a22aa79e52b",范围": " https://api.skypeforbusiness.com/User.ReadWrite ",代码": "OAQABAAIAAACEfexX ......","redirect_uri":" https://localhost "
"grant_type": "authorization_code", "client_id": "######-4d41-485e-871f-0a22aa79e52b", "scope": "https://api.skypeforbusiness.com/User.ReadWrite", "code": "OAQABAAIAAACEfexX.........", "redirect_uri": "https://localhost"
这将在以下响应JSON中返回承载令牌
This returns the bearer token in the following response JSON
{ "access_token" = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1........w4b-- gnWG_iOGtQ"; "expires_in" = 3599; "ext_expires_in" = 3599; scope = "https://api.skypeforbusiness.com/User.ReadWrite"; "token_type" = Bearer; }
STEP 6
是的!在laaast上获得了承载令牌! 现在回到主要文档 https://docs.microsoft.com/zh-cn/skype- sdk/ucwa/authenticationusingazuread
Yay! Got the bearer token at laaast! Now back to the main documentation https://docs.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread
执行操作的地方-'使用不记名令牌重新发送自动发现请求' 我们对
And where we do this - 'Resending an autodiscovery request with the bearer token' We execute a GET request to
https://webdirin1.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
现在,根据文档,应该返回此JSON
Now this, as per the documentation should return this JSON
{ "_links":{ "self": {"href":"https://webdirX.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user"}, "applications": {"href":"https://webpoolXY.infra.lync.com/ucwa/oauth/v1/applications"} } }
但我得到了403:PERMISSIONS拒绝的错误
<div class="content-container"><fieldset> <h2>403 - Forbidden: Access is denied.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div>
因此,我从来没有得到应用程序的URL,并且我已经检查了清单,注册,而且我不知道为什么会出现此错误.
So thus i have never got the applications url and I have checked the manifest, registration and i have no idea, why i get this error.
任何输入将不胜感激.
Any inputs would be appreciated.
推荐答案
对于步骤4,您需要在URL中指定
nonce=somestring
.通常,这应该是仅使用一次的安全随机值.它可以包含任何值.For step 4, you need to specify
nonce=somestring
in the URL. Typically this should be a securely random value that is only used once. It can contain any value.此外,您仅请求一个ID令牌.设置
response_type=id_token+token
.Also, you are only requesting an id token. Set
response_type=id_token+token
.这篇关于Skype for Business在线身份验证错误-403权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!