AADSTS70007:请求令牌时,"query"不是受支持的"response_mode"值 [英] AADSTS70007: 'query' is not a supported value of 'response_mode' when requesting a token
问题描述
因此,几天前我在Azure AD中创建了一个应用程序.当请求授权码时,当我同时要求 code
和 id_token
(在 response_type
参数中)时,出现以下错误:
So I created an application in Azure AD a few days ago. When requesting authorization code, I am getting the following error back when I ask for both code
and id_token
(in response_type
parameter):
AADSTS70007:当以下情况时,"query"不是受支持的"response_mode"值请求令牌
AADSTS70007: 'query' is not a supported value of 'response_mode' when requesting a token
跟踪ID:xxxx-xxxx-xxxx-xxxx-xxxx
Trace ID: xxxx-xxxx-xxxx-xxxx-xxxx
关联ID:xxxx-xxxx-xxxx-xxxx-xxxx
Correlation ID: xxxx-xxxx-xxxx-xxxx-xxxx
时间戳:2018-06-13 16:06:03Z
Timestamp: 2018-06-13 16:06:03Z
我的请求网址如下所示:
My request URL looks something like this:
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&client_id=application-client-id&response_type=code + id_token& redirect_uri = urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob& response_mode = query& nonce = 1528906255418& state = 12345
但是,如果我只要求输入 code
而不是 id_token
,则不会出现任何错误.因此,从本质上讲,以下URL可以正常工作:
However, I don't get any errors if I only ask for code
and not id_token
. So essentially, following URL works:
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&client_id=application-client-id&response_type=code& redirect_uri = urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob& response_mode = query& nonce = 1528906255418& state = 12345
更有趣的是,如果我使用几个月前创建的应用程序的客户端ID,则代码可以正常工作,Azure AD会同时向我返回 code
和 id_token
.
What is even more interesting is that if I use a client id of an application created a few months ago, the code works perfectly fine and Azure AD returns me both code
and id_token
.
I did find one similar problem here: https://sharepoint.stackexchange.com/questions/242669/aadsts70007-query-is-not-a-supported-value-of-response-mode-when-requesting but there was no answer provided for that question.
我很好奇:
- 为什么Azure AD对于较旧的应用程序不会引发任何错误,而对于较新的应用程序却不会引发任何错误?最近在Azure AD级别上进行了任何更改会导致此问题吗?而且,仅对于较新的应用程序也是如此.
- 是否有防止这种错误发生的方法?我非常想使用
query
作为response_mode
而不是form_post
.
- Why Azure AD does not throw any error for older application but for newer application? Has anything changed at the Azure AD level recently that will cause this problem? And that too for only newer applications.
- Is there a way to prevent this error from happening? I would very much like to use
query
asresponse_mode
instead ofform_post
.
推荐答案
两个不同的授权流:
-
如果要在
response_type
中使用code + id_token
,则应使用但是,如果仅在response_type
中使用code
,则应该使用However, if you just use
code
in theresponse_type
, you should be using Authorization Code flow.因此,由于这两种请求的
response_type
s不同,因此它们是不同的OIDC身份验证流程.So, These two kinds of requests are different OIDC Authentication flow due to their different
response_type
s.-
对于
form_post
,form_post
会执行POST,其中包含指向重定向URI的代码.当授权响应仅打算使用一次时,您应该使用响应模式
中的form_post
.您还可以在form_post 的详细信息="nofollow noreferrer">此文档.
For
form_post
,form_post
executes a POST containing the code to your redirect URI.When the Authorization Response is intended to be used only once, you should useform_post
inreponse_mode
. You can also see the details aboutform_post
in this documentation.
对于
query
,在此模式下,当重定向回客户端时,授权响应参数会编码在添加到redirect_uri
的查询字符串中.有关response_mode
中的query
的更多详细信息,可以参考For
query
, In this mode, Authorization Response parameters are encoded in the query string added to theredirect_uri
when redirecting back to the Client. For more details aboutquery
inresponse_mode
, you can refer to this documentation.因此,对于不同的授权流,不同的
response_mode
可能会更清楚.So, you may be more clear about the different
response_mode
for different Authorization flows.对于授权代码流,您可以使用
query
或form_post
,对于Hybird流,您可以使用form_post
或fragment
.对于Web应用程序,我们建议使用response_mode = form_post
,以确保将令牌最安全地传输到您的应用程序.(Microsoft OpenId Connect中间件仅支持hybrid
+form_post
))For Authorization code flow, you can use
query
orform_post
, For Hybird flow, you can useform_post
orfragment
. For web applications, we recommend usingresponse_mode=form_post
, to ensure the most secure transfer of tokens to your application. (the Microsoft OpenId Connect middleware only supportshybrid
+form_post
)为什么Azure AD对于较旧的应用程序不会抛出任何错误,而对于更新的应用程序?最近在Azure AD级别进行了任何更改那会导致这个问题吗?而且这也仅适用于较新的应用程序.
Why Azure AD does not throw any error for older application but for newer application? Has anything changed at the Azure AD level recently that will cause this problem? And that too for only newer applications.
我不确定100%,但是AAD不应更改其授权/身份验证级别的任何内容.也许您使用了不同类型的App或身份验证流程.
I'm not 100% sure, but AAD shouldn't change anything about its authorization/authentication level. Maybe you used different types of App or authentication flow.
是否有防止此错误发生的方法?我会非常喜欢将查询用作
response_mode
而不是form_post
.由于原因是由OIDC框架引起的,我认为您不能使用
query
进行混合流请求.最好使用form_post
如果您的应用是网络应用,则在此流程中.Since the reason is caused by OIDC framework, I think you cannot use
query
for hybird flow request.You'd better useform_post
in this flow if your app is a web app.其他 Azure门户实际上正在使用此流程,但可能与我们可以使用的流程有所不同用.但是您可以通过Fiddler捕获其HTTP流量,从而查看身份验证/授权的工作方式.使用此流程,您必须启用您的应用程序以允许隐式流程.
Additional, Azure portal is using this flow actually, but it may be a little different from what we can use. But you can see how the authentication/authorization works by catching its HTTP traffic via Fiddler. With this flow, you've to enable your App to allow implicit flow.
您还可以看到此示例,以使用Azure AD和OpenID Connect Hybrid进行身份验证流入本文档.
You can also see this sample for Authenticate using Azure AD and OpenID Connect Hybrid flow in this documentaion.
这篇关于AADSTS70007:请求令牌时,"query"不是受支持的"response_mode"值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
-