为什么带有 ClientCredential 的 AcquireToken 会因 invalid_client (ACS50012) 而失败? [英] Why does AcquireToken with ClientCredential fail with invalid_client (ACS50012)?

问题描述

为什么我的 Azure AD 应用程序不允许 oauth client_credentials 授权?

我想使用 Azure Graph API，但首先我需要一个 oauth 令牌.为了获得令牌，我正在尝试使用 Microsoft.IdentityModel.Clients.ActiveDirectory aka ADAL 1.0.3 版(来自 NuGet).

我正在使用带有 ClientCredential 对象的 AuthenticationContext.AcquireToken 的重载.(我不能使用提示用户登录的重载，因为我正在编写服务，而不是应用程序.)

我按照各种教程/示例(例如 ADAL - 服务器到服务器身份验证).

我的代码如下:

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/thommmondago.onmicrosoft.com");ClientCredential cc = new ClientCredential("41151135-61b8-40f4-aff7-8627e9eaf853", clientSecretKey);AuthenticationResult 结果 = ac.AcquireToken("https://graph.windows.net", cc);

AcquireToken 行抛出异常:

sts_token_request_failed:对安全令牌服务的令牌请求失败.检查 InnerException 了解更多详情

内部异常是 WebException，收到的响应看起来像一个 oauth 错误:

{ "error":"invalid_client","error_description":"ACS50012:身份验证失败."错误代码":[50012]，"时间戳":"2014-03-17 12:26:19Z","trace_id":"a4ee6702-e07b-40f7-8248-589e49e96a8d",correlation_id":b304af2e-2748-4067-99d0-2d7e55b121cd"}

绕过 ADAL 并将 curl 与 oauth 端点一起使用也会产生相同的错误.

如果我使用我找到的 Azure 应用程序的详细信息 这里:

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/graphDir1.onmicrosoft.com");ClientCredential cc = new ClientCredential("b3b1fc59-84b8-4400-a715-ea8a7e40f4fe", "FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=");AuthenticationResult 结果 = ac.AcquireToken("https://graph.windows.net", cc);

所以这不是我的代码错误.我认为这要么是我的 Azure AD 出错，要么是我的 ClientCredential 参数有误.

解决方案

原来是 Windows Azure 出错，我的代码或配置没有问题.

在微软解决了 Azure 中的问题后，我不得不创建一个新应用程序并开始工作.

微软论坛回答:

<块引用>

我们发现在昨天结束的几天时间范围内创建的应用程序出现了一些错误.我们正在继续修复这些应用程序，但我没有一个好的 eta 何时完成.对此造成的影响，我深表歉意.

您可以尝试创建一个新的应用程序并使用新的客户端 ID 重新执行操作吗?

谢谢

Why won't my Azure AD application allow an oauth client_credentials grant?

I want to use the Azure Graph API, but first I need an oauth token. To get the token, I am trying to use Microsoft.IdentityModel.Clients.ActiveDirectory aka ADAL version 1.0.3 (from NuGet).

I'm using the overload of AuthenticationContext.AcquireToken that takes a ClientCredential object. (I can't use the overload that prompts the user to login because I'm writing a service, not an app.)

I configured my Azure AD web application as described in various tutorials/samples (e.g. ADAL - Server to Server Authentication).

My code looks like:

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/thommmondago.onmicrosoft.com");
ClientCredential cc = new ClientCredential("41151135-61b8-40f4-aff7-8627e9eaf853", clientSecretKey);
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);

The AcquireToken line throws an exception:

sts_token_request_failed: Token request to security token service failed.  Check InnerException for more details

The inner exception is a WebException, and the response received looks like an oauth error:

{ "error":"invalid_client",
 "error_description":"ACS50012: Authentication failed."
 "error_codes":[50012],
 "timestamp":"2014-03-17 12:26:19Z",
 "trace_id":"a4ee6702-e07b-40f7-8248-589e49e96a8d",
 "correlation_id":"b304af2e-2748-4067-99d0-2d7e55b121cd" }

Bypassing ADAL and using curl with the oauth endpoint also gives the same error.

My code works if I use the details of the Azure application that I found here:

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/graphDir1.onmicrosoft.com");
ClientCredential cc = new ClientCredential("b3b1fc59-84b8-4400-a715-ea8a7e40f4fe", "FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=");
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);

So it's not an error with my code. I think it's either an error with my Azure AD, or I've got the ClientCredential parameters wrong.

解决方案

This turned out to be an error in Windows Azure, there was nothing wrong with my code or config.

After Microsoft fixed the problem in Azure, I had to create a new application and it started working.

Forum answer from Microsoft:

Hi,

We are seeing some errors with applications created in a several day time range, ending yesterday. We are continuing to fix up these applications but I don't have a good eta when this will be done. I'm apologize for the impact here.

Can you try creating a new application and retying the operation with the new client id?

thanks

这篇关于为什么带有 ClientCredential 的 AcquireToken 会因 invalid_client (ACS50012) 而失败?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！