我做了“公开API"在Azure中但无法将该范围的令牌获取到客户端程序 [英] I did the "Expose an API" in Azure but cannot get the token for that scope to a client program
问题描述
我正在尝试构建WebAPI,并希望使用范围来限制其他客户端应用程序的权限.我在Expose API刀片服务器上创建了一个范围"BuildingAccess",并将其他客户端应用程序添加到具有该范围的授权列表中.但是,当我使用客户端程序尝试获取具有该作用域的令牌时,得到的是" AADSTS70011:提供的请求必须包括一个'scope'输入参数.为输入参数'scope'提供的值无效.
"错误
I'm trying to build a WebAPI and want to use a scope to limit permissions for other clients applications. I created a scope "BuildingAccess" on the Expose an API blade, and added the other client application to the authorized list with that scope. However when I use a client program to try and get the token with that scope I get the "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid.
" error
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create("removed")
.WithTenantId("removed")
.WithClientSecret(ClientSecret)
.Build();
List<string> scopes = new List<string>();
scopes.Add(".default");
scopes.Add("https://localhost:44371/BuildingAccess");
AuthenticationResult result = null;
try
{
result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Token acquired \n");
Console.ResetColor();
}
catch (MsalServiceException ex)
when (ex.Message.Contains("AADSTS70011"))
{
// Invalid scope. The scope has to be of the form "https://resourceurl/.default"
// Mitigation: change the scope to be as expected
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Scope provided is not supported");
Console.ResetColor();
}
唯一有效的格式是将范围设置为 https://localhost:44371/.default.我在其中添加BuildingAccess范围的所有其他组合都失败了,并出现以下错误,分别是我尝试过的不同格式.
The only format that seems to work is when the scope is set to https://localhost:44371/.default. All the other combinations below where I add the BuildingAccess scope fail with the error below for the different formats I've tried.
- 范围
api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess https://localhost:44371/.default
无效. - 范围
api://333333-2222-1111-0000-aaaaaaaaaaaaaaa/.default api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess
无效. - 范围
.default BuildingAccess
无效. - 范围
BuildingAccess
无效. - 范围
api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess
- 范围
https://localhost:44371/BuildingAccess
无效.
- The scope
api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess https://localhost:44371/.default
is not valid. - The scope
api://333333-2222-1111-0000-aaaaaaaaaaaaa/.default api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess
is not valid. - The scope
.default BuildingAccess
is not valid. - The scope
BuildingAccess
is not valid. - The scope
api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess
- The scope
https://localhost:44371/BuildingAccess
is not valid.
如果使用 https://localhost:44371/.default
的服务器,则我的服务器端发生错误,因为它失败了
If the one that works the https://localhost:44371/.default
, then my server side has an error because it failed with
抛出异常:'Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException'在Microsoft.IdentityModel.Tokens.dll中
Exception thrown: 'Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException' in Microsoft.IdentityModel.Tokens.dll
我在客户端上收到未经授权的回复.
and I get an Unauthorized response on the client.
推荐答案
问题是我需要具有管理同意书才能使应用程序对应用程序的权限起作用.这是对我所在的Azure租户的受限操作,因此我无法这样做.
The issue is I need to have Admin Consent for app to app permissions to work. This is a restricted action on the Azure tenant I'm on so I couldn't do that.
这篇关于我做了“公开API"在Azure中但无法将该范围的令牌获取到客户端程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!