带有 Azure AD 的 OAuth2 - 未获得用户同意 [英] OAuth2 with Azure AD - Not getting user consent

问题描述

我正在尝试让 OAuth2 工作流为 Azure AD 正确执行.我正在遵循此来源的指示:https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx

I am trying to get the OAuth2 workflow to perform correctly for Azure AD. I am following the directions from this source: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx

我可以通过使用此请求成功获得授权码响应:https://login.microsoftonline.com/[app-endpoint-id]/oauth2/authorize?response_type=code&client_id=[client-id]&redirect_uri=[redirect-uri]

I can successfully get an authorization code response by using this request: https://login.microsoftonline.com/[app-endpoint-id]/oauth2/authorize?response_type=code&client_id=[client-id]&redirect_uri=[redirect-uri]

然后我使用授权码来请求一个带有 http 帖子的访问令牌，就像这样(我正在使用 Postman 测试这个):

I then use the authorization code to request an access token with a http post like so (I am testing this using Postman):

POST /[app-endpoint-id]/oauth2/token HTTP/1.1 Host: login.microsoftonline.com Cache-Control: no-cache Postman-Token: ed098281-9aa4-6e5f-915d-0253d9a876d3 Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=[client-id]&code=[authorization_code]&redirect_uri=[redirect_uri]&client_secret=[client-secret]&resource=[app-url]

我从 POST 请求中收到以下错误消息:

I get the following error message from the POST request:

{"error":"invalid_grant","error_description":"AADSTS65001:用户或管理员未同意使用带有 ID 的应用程序'应用程序ID'.为此用户发送交互式授权请求并资源. 跟踪 ID:trace-di 相关 ID:相关 ID 时间戳:2016-01-1317:18:39Z","error_codes":[65001],"时间戳":"2016-01-1317:18:39Z","trace_id":"trace-id","correlation_id":"correlation-id"}

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'app-id'. Send an interactive authorization request for this user and resource. Trace ID: trace-di Correlation ID: correlation-id Timestamp: 2016-01-13 17:18:39Z","error_codes":[65001],"timestamp":"2016-01-13 17:18:39Z","trace_id":"trace-id","correlation_id":"correlation-id"}

如果我清除缓存并首次请求授权码，我将被重定向到登录.但是，登录后我没有任何方法来授权我的应用程序，就像它在本文档中所说的那样:

If I clear my cache and make the first request for the authorization code I will be redirected to log in. However, I don't get any way to authorize my app after logging in like it says I should in this documentation:

//azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/

我在这里做错了什么?我正在尝试获取访问令牌.

What am I doing wrong here? I am trying to get an access token.

推荐答案

您遇到的问题是您用来访问您的应用程序的租户尚未将您的应用程序添加到受支持的应用程序列表中.它告诉您以管理员身份使用交互式流程.

The problem you are running in to is that the tenant you are using to access your app has not added your application to the list of applications that are supported. It's telling you to use the interactive flow as an administrator.

同意是一个两步过程:

1) 首先，租户的管理员必须批准该应用程序.这可以通过 1) 在希望使用该应用程序的租户的 Azure 门户中完成，或者 2) 通过启动该应用程序并在您登录时使用该应用程序的管理员凭据来完成.

1) First, the administrator of the tenant must approve the app. This can be done either 1) in the Azure portal of the tenant wishing to use the app or 2) by launching the app and using admin credentials against the app when you sign in.

Azure 门户审批示例:

Example of the Azure portal approval:

_{(来源:azurecomcdn.net)}

2) 其次，在管理员同意可以使用该应用后，任何其他用户(非管理员)在首次使用该应用时将被提升为同意其个人信息.

2) Second, any additional user (non-admin) will be promoted to consent for their individual information when using the app for the first time after the admin has consented that the app can be used.

这篇关于带有 Azure AD 的 OAuth2 - 未获得用户同意的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！