Azure AD.授权流程是否需要从浏览器调用开始以获取桌面应用程序的授权令牌? [英] Azure AD. Does the Authorization Flow need to start with a browser call to get the authorization token for desktop apps?
问题描述
有关背景,请参阅:此问题
因此,授权流程的第一步是使用这样的Web浏览器中的URL获取授权令牌.对于桌面应用程序,它需要具有以下签名(我未对其进行编码以使其更具可读性):
So, the first step in the Authorization Flow is to get the authorization token using a URL in the web browser like this. For a desktop app it needs to have the following signature (I un-encoded it to make it more readable):
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize
?client_id={client id}
&response_type=code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&response_mode=query
&scope=openid offline_access https://graph.microsoft.com/.default
这最终到达指定的redirectURL(假设我在Azure的应用程序注册中设置了相同的redirectUrl并进行了身份验证.一切都很好.响应看起来像这样:
This ends up at the specified redirectURL (assuming I set the same redirectUrl in the Application registration in Azure and authenticated. All good. The response looks something like this:
https://login.microsoftonline.com/common/oauth2/nativeclient?code=OAQABAAIAAAA...ggAA
然后使用该代码,通过我的VBA(MS-Access)的POST http请求,使用该代码生成access_token和refresh_token
That code is then used to generate an access_token and a refresh_token using a POST http request from my VBA (MS-Access)
https://login.microsoftonline.com/{tenant Id}/oauth2/v2.0/token
grant_type=authorization_code
client_id={client id}
scope=https://graph.microsoft.com/.default
redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
code=OAQABAAIAAAA...ggAA <== ie the code that was copied from the URL in the Authorization step above
该调用会同时返回一个access_token(在1小时后过期)和refresh_token(在90天后默认过期).refresh_token用于在过期后获取另一个access_token.
That call returns both an access_token (expires in 1 hour) and a refresh_token (default expiry in 90 days). The refresh_token is used to get another access_token after it expires.
到目前为止,很好.
第一步(获取授权码)在浏览器中运行,然后将生成的代码复制粘贴到我的应用程序中,以用于第二步(获取access_token).每次access_token过期时,都会使用refresh_token获取另一个access_token和另一个refresh_token,这又需要90天.一切正常.
The first step (get the Authorizaion Code) is run in a browser and the resulting code is copy-pasted into my App to be used in the second step (to get the access_token). Each time the access_token expires, the refresh_token is used to acquire another access_token AND another refresh_token, giving another 90 days. That all works fine.
我的问题是这个:闲置90天后,access_token和最近的refresh_token都将过期.我是否需要返回第一步,通过浏览器窗口获取新的授权码,然后从Web浏览器的URL中复制并粘贴该代码,然后将其用于第二步?
My question is this: After 90 days of inactivity both the access_token and the most recent refresh_token will have expired. Is it the case that I will then need to return to the first step, get a new Authorization Code via a browser window, copy and paste the code from the web browser url and use it for the second step?
是否总是需要使用Web浏览器来获取授权码,还是有一些编程方法来完成我完全错过的事情?
Is it the case that I will always need to use a web browser to get an Authorization Code or is there some programatic way to do that which I have completely missed?
谢谢.默里
推荐答案
是这种情况,然后我需要返回第一步,获取通过浏览器窗口输入新的授权代码,然后复制并粘贴代码从网络浏览器的网址中获取并用于第二步?
Is it the case that I will then need to return to the first step, get a new Authorization Code via a browser window, copy and paste the code from the web browser url and use it for the second step?
是的,你是对的.
是否有一些程序化的方法可以完全做到这一点错过了吗?
is there some programatic way to do that which I have completely missed?
是的,资源所有者密码凭证(ROPC)授予流程允许应用程序通过直接处理用户密码来登录用户. ROPC流要求很高信任度和用户暴露程度,并且仅在无法使用其他更安全的流时才应使用此流.
Yes, resource owner password credential (ROPC) grant flow allows an application to sign in the user by directly handling their password. The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.
这篇关于Azure AD.授权流程是否需要从浏览器调用开始以获取桌面应用程序的授权令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
