Azure AD 在有效访问令牌上返回 Authentication_ExpiredToken [英] Azure AD returns Authentication_ExpiredToken on valid access token
问题描述
我收到 您的访问令牌已过期.请在提交请求之前更新它. 当我调用 https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5 端点时.
I'm getting Your access token has expired. Please renew it before submitting the request. when I call https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5 endpoint.
为了防止出现任何愚蠢的问题 - 是的,我知道推荐使用 Microsoft Graph 而不是 Azure AD Graph.我知道它并且我正在使用它.但对于我目前的情况,我需要准确地请求 Azure AD Graph.
To prevent any stupid questions - Yes, I know that using Microsoft Graph is recommended instead of Azure AD Graph. I'm aware of it and I'm using it. But for my current case I need to request exactly Azure AD Graph.
测试用例:
- 我成功登录
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=....并获得code在响应中. - 我在
https://login.microsoftonline.com/common/oauth2/v2.0/tokencode 并获得了access_token>. - 我成功地向任何
Microsoft Graph端点(即https://graph.microsoft.com/education/me/classes)发出请求. - 我调用
https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5. - 我收到错误
Authentication_ExpiredToken您的访问令牌已过期.请在提交请求前续订. - 我成功地向任何
Microsoft Graph端点发出请求,因此access_token是有效的.
- I successfully login on
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=....and getcodein the response. - I successfully exchange
codeand getaccess_tokenonhttps://login.microsoftonline.com/common/oauth2/v2.0/token. - I successfully make requests to any
Microsoft Graphendpoint (iehttps://graph.microsoft.com/education/me/classes). - I call
https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5. - I get the error
Authentication_ExpiredTokenYour access token has expired. Please renew it before submitting the request. - I successfully make requests to any
Microsoft Graphendpoint, so theaccess_tokenis valid.
基于这篇文章:https://docs.microsoft.com/azure/active-directory/develop/active-directory-appmodel-v2-overview,我也可以使用此访问令牌访问 Microsoft Graph API作为 Azure AD Graph API.
Based on this article: https://docs.microsoft.com/azure/active-directory/develop/active-directory-appmodel-v2-overview, I can use this access token to access both Microsoft Graph API as well as Azure AD Graph API.
所以,我使用的 v2.0 应该适用于那些:https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code.
So, I'm using v2.0 which should work for those: https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code.
我做错了什么?
谢谢!
推荐答案
用于调用 Microsoft Graph 的令牌不能用于调用 Azure AD Graph API.
A token used to call the Microsoft Graph cannot be used to call the Azure AD Graph API.
当您查看来自 Azure AD 的访问令牌时,有一个名为 aud 的参数代表受众".此属性告诉接收令牌的 API 该令牌的有效受众.
When you look at the access token from Azure AD, there is a parameter called aud which stands for "audience". This property tells the API receiving the token the valid audience for that token.
如果我拥有一个 API,WebAPI1",并且我得到一个令牌,其中受众是其他东西,例如WebAPI2",我应该拒绝该令牌,并且不让客户端访问我的 API.这种行为的原因应该是显而易见的,但如果不进行此项检查,则会导致重大的安全问题.
If I own an API, "WebAPI1", and I get a token where the audience is something else, like "WebAPI2", I should reject that token, and not give the client access to my APIs. The reasons for this behavior should be obvious, but it causes major security issues if this check does not occur.
Microsoft Graph 的 aud 值为 https://graph.microsoft.com/ 而 aud 用于 Azure AD Graph API是 https://graph.windows.net/.
The aud value for the Microsoft Graph is https://graph.microsoft.com/ while the aud for Azure AD Graph API is https://graph.windows.net/.
在请求访问令牌时,您需要使用 scopes 参数指定您想要令牌的特定资源.可以在此处.
When requesting an access token, you need to specify which specific resource you want a token for using the scopes parameter. This and more information can be found here.
这里的解决方案是为不同的 API 获取不同的访问令牌,您的问题应该得到解决.
The solution here is to get a different access token for the different API, and your issues should be resolved.
让我知道这是否有帮助!
Let me know if this helps!
这篇关于Azure AD 在有效访问令牌上返回 Authentication_ExpiredToken的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
