单个授权请求中的多个资源 [英] Multiple resources in a single authorization request

问题描述

我们目前使用以下授权网址:https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com

We currently use the following authorize url: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com

我们还想使用 Graph API，所以我添加了以下内容:https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F%26https%3A%2F%2Fgraph.microsoft.com

We want to also use the Graph API, so I added the following: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F%26https%3A%2F%2Fgraph.microsoft.com

我尝试了两种资源之间的不同分隔符，但无法正常工作.每个资源单独工作.我希望一次支持超过 1 个资源?

I've tried different delimiters between the two resources, but couldn't get it to work. Each one resource works separately. I hope that more than 1 resource at a time is supported?

推荐答案

我认为您在此处尝试通过将多个值直接传递给 resource 参数的操作将不起作用(可能不支持情况，但我会等到 Microsoft 的某个人确认或我找到 Azure AD 文档准确说明.同时，这里有一个 旧博文 上面说了这样的话，但它是一个博客从 2014 年开始谈论 SSO 和旧 :)，所以不要仅仅依赖于此.)

I think what you're trying to do here by passing multiple values to resource parameter directly will not work (probably not a supported scenario, but I'll wait till someone from Microsoft confirms or I find Azure AD documentation stating exactly that. In the meanwhile, here's an old blog post that says something like this, but it's a blog talking about SSO and old from 2014 :), so don't want to rely solely on this.)

下面我将解释如何通过重用刷新令牌而不在同一个调用中传递两个资源 ID 来使这个场景工作.(注意:此方法适用于授权代码授予流程，但不适用于基于 JavaScript 的 SPA 之类的隐式授予流程，因为在这种情况下不会返回刷新令牌)

Below I'm explaining how you can make this scenario work by reusing refresh tokens and without passing both resource ids in same call. (NOTE: This approach will work for Authorization Code Grant Flow but not for Implicit grant flow like a JavaScript based SPA, because no refresh token is returned in that case)

• 从授权端点获得授权代码后，您将转到 Azure AD 令牌端点，为单个资源请求令牌(根据您的应用程序要求，使用对端点的 REST 调用或类似 ADAL 库的 AcquireToken 方法)
• 您会返回一个 访问令牌 + 刷新令牌，作为对令牌端点调用的响应.访问令牌对第一次调用中提到的资源有效(比如 graph.microsoft.com)
• 然后使用您刚刚获得的 refresh token，再次调用令牌端点(REST 或 ADAL AcquireTokenSilent，这样就不会出现第二次要求用户凭据的弹出窗口)并获得一个在此调用的情况下，通过指定第二个资源 ID 来标记第二个资源
• 您此次获得的访问令牌对第二个资源有效.
• 事实上，您可以继续这样做，因此名称多资源刷新令牌出现在某些地方.尽管现在所有刷新令牌都应该是多资源或有效的，可用于请求您的应用程序同意的任何资源.

• Once the authorization code is available from authorize endpoint, you go to Azure AD token endpoint requesting token for a single resource (using REST call to endpoint or something like ADAL library AcquireToken method depending on your application requirements)
• You get back an access token + refresh token as a response to your call to token endpoint. The access token is valid for resource that was mentioned in first call (say graph.microsoft.com)
• Then using refresh token you just got, you make another call to token endpoint (REST or ADAL AcquireTokenSilent so that there isn't a popup to ask for user credentials this second time) and get a token for the second resource by specifying the 2nd resource id in case of this call
• The access token you get this time is valid for the 2nd resource.
• In fact you can continue doing this and hence the name Multi-resource refresh tokens shows up in some places. Although now all refresh tokens are supposed to be multi-resource or valid to be used for requesting any resource that your application has consent for.

可以帮助您进一步理解和实施的链接

• 使用 ADAL 通过一次登录提示调用多个服务

刷新多个资源的令牌

This SO Post.. 也请查看评论.

此 SO 帖子

这篇关于单个授权请求中的多个资源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！