AADSTS70007:请求令牌时，"query"不是受支持的"response_mode"值 [英] AADSTS70007: 'query' is not a supported value of 'response_mode' when requesting a token

问题描述

因此，几天前我在Azure AD中创建了一个应用程序.当请求授权码时，当我同时要求 code 和 id_token (在 response_type 参数中)时，出现以下错误:

So I created an application in Azure AD a few days ago. When requesting authorization code, I am getting the following error back when I ask for both code and id_token (in response_type parameter):

AADSTS70007:当以下情况时，"query"不是受支持的"response_mode"值请求令牌

AADSTS70007: 'query' is not a supported value of 'response_mode' when requesting a token

跟踪ID:xxxx-xxxx-xxxx-xxxx-xxxx

Trace ID: xxxx-xxxx-xxxx-xxxx-xxxx

关联ID:xxxx-xxxx-xxxx-xxxx-xxxx

Correlation ID: xxxx-xxxx-xxxx-xxxx-xxxx

时间戳:2018-06-13 16:06:03Z

Timestamp: 2018-06-13 16:06:03Z

我的请求网址如下所示:

My request URL looks something like this:

https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&client_id=application-client-id&response_type=code + id_token& redirect_uri = urn％3Aietf％3Awg％3Aoauth％3A2.0％3Aoob& response_mode = query& nonce = 1528906255418& state = 12345

但是，如果我只要求输入 code 而不是 id_token ，则不会出现任何错误.因此，从本质上讲，以下URL可以正常工作:

However, I don't get any errors if I only ask for code and not id_token. So essentially, following URL works:

https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&client_id=application-client-id&response_type=code& redirect_uri = urn％3Aietf％3Awg％3Aoauth％3A2.0％3Aoob& response_mode = query& nonce = 1528906255418& state = 12345

更有趣的是，如果我使用几个月前创建的应用程序的客户端ID，则代码可以正常工作，Azure AD会同时向我返回 code 和 id_token .

What is even more interesting is that if I use a client id of an application created a few months ago, the code works perfectly fine and Azure AD returns me both code and id_token.

我确实在这里发现了一个类似的问题:

I did find one similar problem here: https://sharepoint.stackexchange.com/questions/242669/aadsts70007-query-is-not-a-supported-value-of-response-mode-when-requesting but there was no answer provided for that question.

我很好奇:

• 为什么Azure AD对于较旧的应用程序不会引发任何错误，而对于较新的应用程序却不会引发任何错误?最近在Azure AD级别上进行了任何更改会导致此问题吗?而且，仅对于较新的应用程序也是如此.
• 是否有防止这种错误发生的方法?我非常想使用 query 作为 response_mode 而不是 form_post .

• Why Azure AD does not throw any error for older application but for newer application? Has anything changed at the Azure AD level recently that will cause this problem? And that too for only newer applications.
• Is there a way to prevent this error from happening? I would very much like to use query as response_mode instead of form_post.

推荐答案

两个不同的授权流:

• 如果要在 response_type 中使用 code + id_token ，则应使用但是，如果仅在 response_type 中使用 code ，则应该使用

  However, if you just use codein the response_type, you should be using Authorization Code flow.

  因此，由于这两种请求的 response_type s不同，因此它们是不同的OIDC身份验证流程.

  So, These two kinds of requests are different OIDC Authentication flow due to their different response_types.

  • 对于 form_post ， form_post 会执行POST，其中包含指向重定向URI的代码.当授权响应仅打算使用一次时，您应该使用响应模式中的 form_post .您还可以在form_post 的详细信息="nofollow noreferrer">此文档.

  • For form_post, form_post executes a POST containing the code to your redirect URI.When the Authorization Response is intended to be used only once, you should use form_post in reponse_mode. You can also see the details about form_post in this documentation.

  对于 query ，在此模式下，当重定向回客户端时，授权响应参数会编码在添加到 redirect_uri 的查询字符串中.有关 response_mode 中的 query 的更多详细信息，可以参考

  For query, In this mode, Authorization Response parameters are encoded in the query string added to the redirect_uri when redirecting back to the Client. For more details about query in response_mode, you can refer to this documentation.

  因此，对于不同的授权流，不同的 response_mode 可能会更清楚.

  So, you may be more clear about the different response_mode for different Authorization flows.

  对于授权代码流，您可以使用 query 或 form_post ，对于Hybird流，您可以使用 form_post 或 fragment .对于Web应用程序，我们建议使用 response_mode = form_post ，以确保将令牌最安全地传输到您的应用程序.(Microsoft OpenId Connect中间件仅支持 hybrid + form_post ))

  For Authorization code flow, you can use query or form_post, For Hybird flow, you can use form_post or fragment. For web applications, we recommend using response_mode=form_post, to ensure the most secure transfer of tokens to your application. (the Microsoft OpenId Connect middleware only supports hybrid + form_post)

  为什么Azure AD对于较旧的应用程序不会抛出任何错误，而对于更新的应用程序?最近在Azure AD级别进行了任何更改那会导致这个问题吗?而且这也仅适用于较新的应用程序.

  Why Azure AD does not throw any error for older application but for newer application? Has anything changed at the Azure AD level recently that will cause this problem? And that too for only newer applications.

  我不确定100％，但是AAD不应更改其授权/身份验证级别的任何内容.也许您使用了不同类型的App或身份验证流程.

  I'm not 100% sure, but AAD shouldn't change anything about its authorization/authentication level. Maybe you used different types of App or authentication flow.

  是否有防止此错误发生的方法?我会非常喜欢将查询用作 response_mode 而不是 form_post .

  由于原因是由OIDC框架引起的，我认为您不能使用 query 进行混合流请求.最好使用 form_post 如果您的应用是网络应用，则在此流程中.

  Since the reason is caused by OIDC framework, I think you cannot use query for hybird flow request.You'd better use form_post in this flow if your app is a web app.

  其他 Azure门户实际上正在使用此流程，但可能与我们可以使用的流程有所不同用.但是您可以通过Fiddler捕获其HTTP流量，从而查看身份验证/授权的工作方式.使用此流程，您必须启用您的应用程序以允许隐式流程.

  Additional, Azure portal is using this flow actually, but it may be a little different from what we can use. But you can see how the authentication/authorization works by catching its HTTP traffic via Fiddler. With this flow, you've to enable your App to allow implicit flow.

  您还可以看到此示例，以使用Azure AD和OpenID Connect Hybrid进行身份验证流入本文档.

  You can also see this sample for Authenticate using Azure AD and OpenID Connect Hybrid flow in this documentaion.

  这篇关于AADSTS70007:请求令牌时，"query"不是受支持的"response_mode"值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！