使用Azure AD承载令牌时,身份验证失败,以返回容器列表[Azure Blob] [Azure AD OAuth 2.0] [REST API] [英] Authentication Failed while using Azure AD Bearer Token, to return list of containers [Azure Blob] [Azure AD OAuth 2.0] [REST API]
问题描述
我已经成功尝试使用 Shared key 进行身份验证,然后对 Azure Blob 进行 REST调用 代码> .现在,我正在尝试使用 AzureAD OAuth 2.0 进行身份验证,以接收Bearer令牌并将该令牌用于 Authentication 传递给进行 REST调用 .我成功获取了 Bearer令牌,但无法执行身份验证.
以下是代码:
const request = require("request");require("dotenv").config();const account = process.env.ACCOUNT_NAME ||";;const键= process.env.ACCOUNT_KEY ||";;const tenantId = process.env.AZURE_TENANT_ID ||";;const clientId = process.env.AZURE_CLIENT_ID ||";;const clientSecret = process.env.AZURE_CLIENT_SECRET ||";;const options = {网址:`https://login.microsoftonline.com/$ {tenantId}/oauth2/v2.0/token`,formData:{grant_type:"client_credentials",client_id:clientId,范围:"https://graph.microsoft.com/.default",//范围:"http://storage.azure.com/.default",client_secret:clientSecret,},标头:{"Content-Type":`application/x-www-form-urlencoded`,},};var strTime = new Date().toUTCString();函数回调(错误,响应,正文){const options = {网址:`https://$ {account} .blob.core.windows.net/?comp = list`,标头:{授权:`bearer $ {JSON.parse(response.body).access_token}`,"x-ms-date":strTime,"x-ms-version":"2019-02-02",},};请求(选项,功能(错误,响应,正文){console.log(响应为:",response.statusCode,response.statusMessage);});}request(options,callback); 当我尝试运行Auth时,它表明Auth失败.
403服务器无法验证请求.请确保正确构成Authorization标头的值,包括签名.
以下是一些参考链接:
但是,同样的错误仍然存在.
尝试使用 https://$ {account} .blob.core.windows.net/更改或 scope .default https://storage.azure.com/.default .
注释:
- 在"v2.0"中支持
-
范围.如果使用v1.0,则需要将
scope替换为resource,代码看起来像resource:"https://$ {account} .blob.core.windows.net/". -
使用formData时,必须设置"multipart/form-data".
-
导航到Azure存储->访问控制(IAM)->添加角色分配以将服务主体添加到您的存储帐户
代码:
const request = require("request");require("dotenv").config();const axios = require('axios');const qs = require('qs');const account =";const key =";const tenantId =";const clientId =";const clientSecret =";const postData = {client_id:clientId,范围:`https://$ {account} .blob.core.windows.net/.default`,client_secret:clientSecret,grant_type:"client_credentials"};axios.defaults.headers.post ['Content-Type'] ='application/x-www-form-urlencoded';让令牌='';axios.post(`https://login.microsoftonline.com/$ {tenantId}/oauth2/v2.0/token`,qs.stringify(postData)).then(response => {console.log(response.data);令牌= response.data.access_token;}).catch(错误=> {console.log(错误);}); I have successfully tried performing authentication using the Shared key and then make REST calls to Azure Blob.
Now I am trying to Authenticate using AzureAD OAuth 2.0, to receive a Bearer token and pass that for Authentication to make REST calls.
I am successfully getting the Bearer token but unable to perform authentication.
Here's the code:
const request = require("request");
require("dotenv").config();
const account = process.env.ACCOUNT_NAME || "";
const key = process.env.ACCOUNT_KEY || "";
const tenantId = process.env.AZURE_TENANT_ID || "";
const clientId = process.env.AZURE_CLIENT_ID || "";
const clientSecret = process.env.AZURE_CLIENT_SECRET || "";
const options = {
url: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
formData: {
grant_type: "client_credentials",
client_id: clientId,
scope: "https://graph.microsoft.com/.default",
// scope:"http://storage.azure.com/.default",
client_secret: clientSecret,
},
headers: {
"Content-Type": `application/x-www-form-urlencoded`,
},
};
var strTime = new Date().toUTCString();
function callback(error, response, body) {
const options = {
url: `https://${account}.blob.core.windows.net/?comp=list`,
headers: {
Authorization: `Bearer ${JSON.parse(response.body).access_token}`,
"x-ms-date": strTime,
"x-ms-version": "2019-02-02",
},
};
request(options, function (error, response, body) {
console.log("Response is: ", response.statusCode, response.statusMessage);
});
}
request(options, callback);
It shows Auth failed when I try to run it.
403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
Here are some links for Reference: Service-Service calls using client credentials, OAuth 2.0 client credentials flow
EDIT: The scope was tried for both the links, options url updated from https://login.microsoftonline.com/${tenantId}/oauth2/token to https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token
Screenshot of Access Control.
But still, the same error persists.
Try to change the scope with https://${account}.blob.core.windows.net/.default or https://storage.azure.com/.default.
Notes:
scope is supported in "v2.0". If you use v1.0,
scopeneeds to be replaced withresource, code looks likeresource: "https://${account}.blob.core.windows.net/".When using formData, you must set "multipart/form-data".
Navigate to Azure storage -> Access control(IAM) -> Add role assignment to add a service principal to your storage account
Code:
const request = require("request");
require("dotenv").config();
const axios = require('axios');
const qs = require('qs');
const account = "";
const key = "";
const tenantId = "";
const clientId = "";
const clientSecret = "";
const postData = {
client_id: clientId,
scope: `https://${account}.blob.core.windows.net/.default`,
client_secret: clientSecret,
grant_type: 'client_credentials'
};
axios.defaults.headers.post['Content-Type'] =
'application/x-www-form-urlencoded';
let token = '';
axios.post(`https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`, qs.stringify(postData))
.then(response => {
console.log(response.data);
token = response.data.access_token;
})
.catch(error => {
console.log(error);
});
这篇关于使用Azure AD承载令牌时,身份验证失败,以返回容器列表[Azure Blob] [Azure AD OAuth 2.0] [REST API]的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
