访问令牌不包含所有请求的范围 [英] Access token doesn't contain all the requested scopes
问题描述
我有一个 angular 应用程序和一个 DotNet 核心Web API应用程序.Web API公开2个权限.角已被限制为这些权限(请参见屏幕截图).
I have an angular application and an DotNet core web api application. The web api exposes 2 permissions. The angular has susbscribed to those permissions (see screenshot).
在代码中,我尝试了
export const loginRequest: { scopes: string[] } = {
//scopes: ['user.read', 'openid', 'profile'], //--> I commented out this line.
scopes: []
};
export const tokenRequest: { scopes: string[] } = {
scopes: ['api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access',
'api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write']
};
consentScopes: [
...loginRequest.scopes,
...tokenRequest.scopes,
],
访问令牌包含我没有要求的范围,但是它没有返回我所要求的范围.
The access token contain the scopes I didn't ask for, but it is not returning what I asked.
如何获得我要求的两个范围?
How do I get the 2 scopes I've requested?
感谢您的帮助
这是配置
auth: {
clientId: '78803184-e866-4966-b372-d98b4feae898',
authority: "https://login.microsoftonline.com/{tenantId}/",
validateAuthority: true,
redirectUri: "http://localhost:4200/",
postLogoutRedirectUri: "http://localhost:4200/",
navigateToLoginRequestUrl: true,
}
编辑2
这是现在要求的范围.我已经删除了所有相关的图形,例如 user.read , openid 和 profile .
{
popUp: !isIE,
consentScopes: [
"api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access",
"api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write"
],
unprotectedResources: ["https://localhost:5001"],
protectedResourceMap,
extraQueryParameters: {}
}
即使在客户端访问API的客户端列表之后,我仍然收到相同的作用域.
I'm still receive the same scopes, i.e. even after the client to the list of clients for the API.
但是,我查看了发送到AZURE AD的请求.这就是它的样子.根据此请求,尽管我已从请求的作用域列表中删除了它们,但我仍在请求 user.read , openid 和 profile .
However, I looked at the request being sent to AZURE AD. This is how it looks like. According to this request, I'm still requesting user.read, openid, and profile although I removed them from the list of requested scopes.
Request URL: https://login.microsoftonline.com/313200b5-a917-47d1-2233-149b07d5d7b5/oauth2/v2.0/authorize?
response_type=token&scope=user.read openid profile&client_id=78803184-e866-54e3-b200-d98b4feae898
&redirect_uri=http://localhost:4200/
&state=eyJpZCI6IjMwZDJkOGNkLTM2NWUtNGMwOS1iYWY1LTcyZWYyMTU0YWE5ZSIs
InRzIjoxNjExNTUwMDUxLCJtZXRob2QiOiJzaWxlbnRJbnRlcmFjdGlvbiJ9
&nonce=6f25b4e0-71f7-4cde-abf4-cb5545d2507e
&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4
&login_hint=admin@myemail.com
&client-request-id=a68ef0b3-111b-4b1c-a3e7-cdcb075516ca
&prompt=none&response_mode=fragment
编辑3
我找到了这行代码
EDIT 3
I found this line of code
const GRAPH_ENDPOINT = 'https://graph.microsoft.com/v1.0/me';
getProfile() {
this.http.get(GRAPH_ENDPOINT)
.toPromise().then(profile => {
this.profile = profile;
});
}
推荐答案
移动评论以回答:
就像我在评论中说的那样,您得到的是ms graph api令牌,该令牌仅包含ms graph api的范围.令牌不能包含两个api的范围.如果需要获取自定义api的范围,则应该获取另一个令牌.
Like I said in the comments, what you get is the ms graph api token, which only contains the scope of ms graph api. A token cannot contain the scope of two apis. If you need to get the scope of a custom api, you should get another token.
The access token is issued according to the api audience you want to access, and it is unique! A token can only have one audience, and you cannot use multiple scopes to request access tokens.
一个句子摘要:您不能使访问令牌包含 API.Access API.Write User.Read scp声明,因为这是两个完全不同的API的范围.
One sentence summary: You cannot make an access token contain API.Access API.Write User.Read scp claims at the same time, because these are the scope of two completely different APIs.
这篇关于访问令牌不包含所有请求的范围的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
