Azure AD OAuth令牌刷新给出错误AADSTS50000 [英] Azure AD OAuth token refresh gives error AADSTS50000
问题描述
成功通过身份验证后,我想刷新授权令牌,因此发出以下请求
After successfully authenticating, I want to refresh my authorization token, so I issue the following request
curl -X POST \
https://login.microsoftonline.com/<my-tenant>/oauth2/v2.0/token \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-F grant_type=refresh_token \
-F refresh_token=<my-refresh-token> \
-F client_id=<my-client-id> \
-F client_secret=<my-client-secret>
但是,我没有返回新令牌,而是得到了以下响应:
However, instead of returning with a new token, I get the following response:
{
"error": "server_error",
"error_description": "AADSTS50000: There was an error issuing a token.\r\nTrace ID: bb72ee21-7df2-4949-8375-e6d97b621300\r\nCorrelation ID: 719ea759-622b-4d63-be17-56fd6c255195\r\nTimestamp: 2018-06-15 09:07:13Z",
"error_codes": [
50000
],
"timestamp": "2018-06-15 09:07:13Z",
"trace_id": "bb72ee21-7df2-4949-8375-e6d97b621300",
"correlation_id": "719ea759-622b-4d63-be17-56fd6c255195"
}
承租人,客户ID和客户机密与获取刷新令牌时所使用的相同.但是,显然缺少或不正确的东西-但是呢?
The tenant, client id and client secret are all the same as those used when obtaining the refresh token. Yet, something is apparently missing or incorrect - but what?
推荐答案
您缺少必需的scope
参数尽管您只是发出POST请求,但您还需要提供redirect_uri
.
You also need to provide a redirect_uri
, although you just make a POST request.
,redirect_uri
必须与原始授权调用中使用的redirect_uri
相匹配.
And the redirect_uri
must match the redirect_uri
used in the original authorization call.
刷新访问令牌时,必须提供您要获取令牌的范围.还要确保您了解您只能刷新access_token,而不能刷新id_token.而且access_token始终具有目的(作用域).
When refreshing an access token you have to provide a scope for which you would like to get the token. Also make sure that you understand you can only refresh the access_token, not the id_token. And access_token always has a purpose (scope).
文档中描述的所有内容.
Everything described in the documentation.
这篇关于Azure AD OAuth令牌刷新给出错误AADSTS50000的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!