“缺少授权类型参数"在 Auth0 委托端点调用中 [英] "Missing grant-type parameter" in Auth0 Delegation endpoint call

问题描述

我正按照 Auth0 的建议，尝试通过以下请求从 Postman 调用(POST)Auth0 委托端点:

I'm trying to call (POST) the Auth0 delegation endpoint from Postman with the following request, as suggested by Auth0:

Content-Type: 'application/json'

{
  "client_id":   "{CLIENT_ID}",
  "grant_type":  "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "id_token":    "{YOUR_ID_TOKEN}",
  "target":      "lwTL1rYVfC0KsBUFPeKWY3HvGjbIgdDM",
  "api_type":    "salesforce_api",
  "scope":       "openid"
}

我收到此错误，即使上述请求中包含了 grant_type 参数:

I'm getting this error, even though the grant_type parameter is included in the above request:

{
    "error": "invalid_request",
    "error_description": "Missing grant_type parameter"
}

我在这里做错了什么?

推荐答案

来自 Auth0 的新 OIDC 合规身份验证 文档:

From Auth0's new OIDC Conformant Authentication docs:

委托

鉴于 ID 令牌不应再用作 API 令牌 并且 刷新令牌应仅在令牌端点使用，此端点现在被视为已弃用.

Given that ID tokens should no longer be used as API tokens and that refresh tokens should be used only at the token endpoint, this endpoint is now considered deprecated.

目前没有符合 OIDC 的机制来获取第三方 API 令牌.为了便于逐步迁移到新的身份验证管道，仍然可以使用委托来获取第三方 API 令牌.这将在未来的版本中被弃用.

At the moment there is no OIDC-compliant mechanism to obtain third-party API tokens. In order to facilitate a gradual migration to the new authentication pipeline, delegation can still be used to obtain third-party API tokens. This will be deprecated in future releases.

此外，来自 Auth0 的 使用 AWS 和令牌 文档:

Also, from Auth0's Using AWS with Tokens docs:

传统赠款类型

自 2017 年 6 月 8 日起，新的 Auth0 客户无法向其客户添加任何旧授权类型，而这些是与 委托端点.旧客户在迁移到新流程时仅可使用旧授权类型，以避免中断更改.要找到适合您案例的安全替代方案，请参阅 传统拨款类型的安全替代方案.

As of 8 June 2017, new Auth0 customers cannot add any of the legacy grant types to their clients, which are required for use with the Delegation endpoint. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. To find the secure alternative for your case refer to Secure Alternatives to the Legacy Grant Types.

进一步阅读 传统赠款类型的安全替代方案链接:

传统赠款类型

http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer


替代方案

默认情况下禁用此功能.如果您希望启用此功能，请联系支持人员讨论您的用例并防止引入安全性的可能性漏洞.

This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.

还可以在此处找到有关旧授权类型的更多信息.

因此，您遇到的问题是委派已被弃用.这意味着 /delegation 端点，更重要的是 jwt-bearer 授权类型已被弃用.如果您是新客户，那您就不走运了.如果您是现有客户，则需要联系支持人员以启用它.

So, the problem you are having is that Delegation has been deprecated. That means the /delegation endpoint and more importantly the jwt-bearer grant type, have been deprecated. If you are a new customer, you are out of luck. If you are an existing customer you need to contact support to get it enabled.

至于为什么 Postman 返回神秘的 Missing grant_type 参数" 错误而不是更好的 Grant type 'http://auth0.com/oauth/legacy/客户端不允许使用 grant-type/delegation/id_token." 使用其他基于浏览器扩展的 REST 客户端时出现的错误，您的猜测和我的一样好.

As to why Postman returns the cryptic "Missing grant_type parameter" error as opposed to the much better "Grant type 'http://auth0.com/oauth/legacy/grant-type/delegation/id_token not allowed for the client." error you get with other browser extension based REST Clients, your guess is as good as mine.

这篇关于“缺少授权类型参数"在 Auth0 委托端点调用中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！