与O365 OAuth的整合失败，错误AADSTS65005 [英] OAuth integration with O365 fails with error AADSTS65005

问题描述

我们有一个网站（构建在PHP框架），我们为教师/学生提供在线教育工具。我们已经做了一个OAuth集成google.com，用户可以在注册，并使用他们的谷歌帐号登录我们的网站（可以是个人Gmail帐户，或谷歌的成员Apps网域）。

We have a web site (built on a php framework) where we provide online educational tools for teachers/students. We have done an OAuth integration with google.com where users can 'sign up' and 'sign in' to our site using their google accounts (could be a personal gmail account, or a member of a google apps domain).

我们正在努力做的O365类似的整合在那里我们的网站可以要求用户的电子邮件和第一/姓氏O365，所以我们可以在我们的网站上为他们创建一个帐户，一旦创建了账号，登录他们进来。我们已经在Azure中创建了一个应用程序清单 - > Active Directory和已生成的客户端ID和秘密，并插入到PHP出来code。 href=\"http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx\">这里介绍的OAuth的认证流程的工作，直到在那里我尝试请求访问令牌点使用POST请求<一个href=\"https://login.windows.net/common/oauth2/token\">https://login.windows.net/common/oauth2/token.它重定向回我的 REDIRECT_URI 但不是给我AUTH code，它给我的网址，这些PARAMS：

We are trying to do a similar integration with O365 where our website can ask O365 for user's email and first/last names so we can create an account for them on our site, and once the account is created, log them in. We have created an Application listing in Azure -> Active Directory, and have generated the client ID and secret, and plugged them into out PHP code. The OAuth workflow described here works up until the point where I try and request the access token using a POST request to https://login.windows.net/common/oauth2/token. It redirects back to my redirect_uri but instead of giving me the auth code, it gives me these params in the URL:

[error] => access_denied
[error_description] => AADSTS65005: The client application has requested access to resource 'https://outlook.office365.com/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: xxxxxx
Correlation ID: xxxxxx
Timestamp: 2014-09-29 06:28:25Z
[state] => xxxxxx

所有我需要的是O365给我的用户的电子邮件和F / L的名字。当然，有一个快速修复这个，我很想念？

All I need is for O365 to give me the user's email and f/l names. Surely there's a quick fix for this that I am missing?

推荐答案

默认情况下，注册应用程序配置为请求阅读用户的配置文件，它一旦被用户同意，允许应用获取用户令牌（如果ID令牌使用OpenID连接），并读取用户的配置文件的签署调用时（包括他们的邮件地址或地址） Azure的AD图形API 。通过Azure的AD担保的应用必须配置目前（在权限到其他应用程序一节为一体的应用注册体验的一部分，）他们需要预先许可范围。
在这里，它看起来像您指定Outlook.com作为您想要一个code和访问令牌的资源，但您的应用程序未配置为允许访问O365 Outlook.com/Exchange在线。

By default, a registered app is configured to request "Read the user's profile", which once consented to by the user, allows the app to get a user token (id token if using OpenID Connect) and read the signed in user's profile (including their mail address or addresses) when calling the Azure AD Graph API. Apps secured by Azure AD must currently configure the permission scopes they require up front (as part of the app registration experience, under the "Permissions to other applications" section). Here it looks like you've specified Outlook.com as the resource that you'd like a code and access token for, but your app is not configured to allow access to O365 Outlook.com/Exchange Online.

请尝试在您的要求的Azure AD设置资源 - https://graph.windows.net/ 。这的应的为你工作。然后，您可以交换code访问令牌调用的Azure AD图形API。

Please try setting the resource in your request to Azure AD - https://graph.windows.net/. That should work for you. You can then swap the code for an access token to call the Azure AD Graph API.

希望这有助于

这篇关于与O365 OAuth的整合失败，错误AADSTS65005的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！