使用个人Microsoft帐户登录失败到Oauth2 v2 [英] Login with personal Microsoft accounts failes to Oauth2 v2
问题描述
我确实使用我的Office365公司帐户在portal.azure.com上注册了一个新应用程序,以访问GraphAPI.
I did register a new Application on portal.azure.com with my Office365 company account to Access the GraphAPI.
虽然身份验证适用于来自我们自己域(在O365中注册的域)的用户,但是对于个人Microsoft帐户(outlook.com或live.com)的用户,我仍然会收到错误消息.
While authentication is working for users from our own domain (the one registered with O365), I keep getting an error for users from personal Microsoft accounts (outlook.com or live.com).
我确实将应用程序设置为支持所有Microsoft帐户用户".
I did setup the Application to support 'All Microsoft account users'.
这是清单
{
"id": "valid-uid",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "valid-uid",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2019-08-29T13:34:54Z",
"groupMembershipClaims": "All",
"identifierUris": [
"api://app-id"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "My Application (DEV2)",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-30T23:00:00Z",
"keyId": "valid-uid",
"startDate": "2019-08-29T13:40:10.571Z",
"value": null,
"createdOn": "2019-08-29T13:40:11.7033226Z",
"hint": "U18",
"displayName": "Local Client"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "NETORGFT(integer-nr).onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "http://localhost:8080/auth/microsoft/callback",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}
这是我尝试使用outlook.com(个人帐户)登录时遇到的错误.
-----------------错误----------------
--------------- Error ----------------
登录抱歉,我们无法登录.
Sign in Sorry, but we’re having trouble signing you in.
AADSTS50020:来自身份提供者"live.com"的用户帐户"someemail@outlook.com"在租户"ourdomain.com"中不存在,并且无法访问应用程序"uid-of-our-app"(我的应用程序(DEV2)).首先需要将该帐户作为外部用户添加到租户中.注销并使用其他Azure Active Directory用户帐户再次登录.
AADSTS50020: User account 'someemail@outlook.com' from identity provider 'live.com' does not exist in tenant 'ourdomain.com' and cannot access the application 'uid-of-our-app'(My Application (DEV2)) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
尽管已将应用程序配置为"signInAudience":"AzureADandPersonalMicrosoftAccount"
,为什么仍会发生此错误?
Why does that error occur, despite having configured the app to be "signInAudience": "AzureADandPersonalMicrosoftAccount"
?
推荐答案
实际上,我是自己解决这个问题的.
Actually I figured this out by myself.
如果您通过URL传递租户ID,似乎清单属性会被忽略. https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
....
The Manifest property seems to get ignored if you pass your Tenant-ID along the URL
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
....
在我发现的文档中,对于企业帐户和个人帐户,您都必须以 {tenant}
的身份传递'common'
. https://login.microsoftonline.com/common/oauth2/v2.0/authorize
In the docs I found, that for both Business and Personal Account you have to pass 'common'
as {tenant}
.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
请求路径中的{tenant}值可用于控制谁可以登录该应用程序.允许的值为
The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are
-
通用
适用于Microsoft帐户以及工作或学校帐户, -
组织
(仅用于工作或学校帐户), -
消费者
仅适用于Microsoft帐户,以及租户标识符(例如,租户ID或域名).
common
for both Microsoft accounts and work or school accounts,organizations
for work or school accounts only,consumers
for Microsoft accounts only, and tenant identifiers such as the tenant ID or domain name.
此处的更多信息 https://docs.microsoft.com/zh-CN/graph/auth-v2-user
这篇关于使用个人Microsoft帐户登录失败到Oauth2 v2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!