使用个人Microsoft帐户登录失败到Oauth2 v2 [英] Login with personal Microsoft accounts failes to Oauth2 v2

问题描述

我确实使用我的Office365公司帐户在portal.azure.com上注册了一个新应用程序，以访问GraphAPI.

I did register a new Application on portal.azure.com with my Office365 company account to Access the GraphAPI.

虽然身份验证适用于来自我们自己域(在O365中注册的域)的用户，但是对于个人Microsoft帐户(outlook.com或live.com)的用户，我仍然会收到错误消息.

While authentication is working for users from our own domain (the one registered with O365), I keep getting an error for users from personal Microsoft accounts (outlook.com or live.com).

我确实将应用程序设置为支持所有Microsoft帐户用户".

I did setup the Application to support 'All Microsoft account users'.

这是清单

{
    "id": "valid-uid",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "valid-uid",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2019-08-29T13:34:54Z",
    "groupMembershipClaims": "All",
    "identifierUris": [
        "api://app-id"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "My Application (DEV2)",
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": true,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2299-12-30T23:00:00Z",
            "keyId": "valid-uid",
            "startDate": "2019-08-29T13:40:10.571Z",
            "value": null,
            "createdOn": "2019-08-29T13:40:11.7033226Z",
            "hint": "U18",
            "displayName": "Local Client"
        }
    ],
    "preAuthorizedApplications": [],
    "publisherDomain": "NETORGFT(integer-nr).onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "http://localhost:8080/auth/microsoft/callback",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}

这是我尝试使用outlook.com(个人帐户)登录时遇到的错误.

-----------------错误----------------

--------------- Error ----------------

登录抱歉，我们无法登录.

Sign in Sorry, but we’re having trouble signing you in.

AADSTS50020:来自身份提供者"live.com"的用户帐户"someemail@outlook.com"在租户"ourdomain.com"中不存在，并且无法访问应用程序"uid-of-our-app"(我的应用程序(DEV2)).首先需要将该帐户作为外部用户添加到租户中.注销并使用其他Azure Active Directory用户帐户再次登录.

AADSTS50020: User account 'someemail@outlook.com' from identity provider 'live.com' does not exist in tenant 'ourdomain.com' and cannot access the application 'uid-of-our-app'(My Application (DEV2)) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

尽管已将应用程序配置为"signInAudience":"AzureADandPersonalMicrosoftAccount" ，为什么仍会发生此错误?

Why does that error occur, despite having configured the app to be "signInAudience": "AzureADandPersonalMicrosoftAccount"?

推荐答案

实际上，我是自己解决这个问题的.

Actually I figured this out by myself.

如果您通过URL传递租户ID，似乎清单属性会被忽略. https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize ....

The Manifest property seems to get ignored if you pass your Tenant-ID along the URL https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize....

在我发现的文档中，对于企业帐户和个人帐户，您都必须以 {tenant} 的身份传递'common'. https://login.microsoftonline.com/common/oauth2/v2.0/authorize

In the docs I found, that for both Business and Personal Account you have to pass 'common' as {tenant}. https://login.microsoftonline.com/common/oauth2/v2.0/authorize

请求路径中的{tenant}值可用于控制谁可以登录该应用程序.允许的值为

The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are

• 通用适用于Microsoft帐户以及工作或学校帐户，
• 组织(仅用于工作或学校帐户)，
• 消费者仅适用于Microsoft帐户，以及租户标识符(例如，租户ID或域名).

• common for both Microsoft accounts and work or school accounts,
• organizations for work or school accounts only,
• consumers for Microsoft accounts only, and tenant identifiers such as the tenant ID or domain name.

此处的更多信息 https://docs.microsoft.com/zh-CN/graph/auth-v2-user

这篇关于使用个人Microsoft帐户登录失败到Oauth2 v2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！