Windows Azure:用于外部访问的AD应用程序在令牌问题上引发错误
[英]Windows Azure: AD app for external access throws error on token issue
问题描述
I am trying to build an AzureAD access app. 
我正在尝试构建AzureAD访问应用程序。 I have to enable this app for external tenants. 我必须为外部租户启用此应用程序。 I have enabled external access on this app and it is configured to use the Graph API also. 我已在此应用上启用了外部访问权限,并且将其配置为也使用Graph API。 I have tested the app in the tenant in which it was created and everything(auth+ graph api access) works. 我已经在创建它的租户中测试了该应用程序,并且一切正常(auth + graph api access)起作用。 Now here is the flow for the external tenant 现在这是外部租户的流程
- I take the external tenant user to the grant consent URL of my app, the user(who is an admin of the external tenant) grants the access and i get the correct response 我将外部租户用户带到我应用程序的授予同意URL,该用户(是外部租户的管理员)授予访问权限,并且我得到了正确的响应
Now i want to get the authorization token for this user, so i take the user through the normal Oauth process via
现在,我想获取该用户的授权令牌,因此我通过 https://login.windows.net/common/oauth2/authorize
followed by 其次是
https://login.windows.net/common/oauth2/token/
At this point Azure throws the following error 此时,Azure会引发以下错误
{"error":"invalid_grant","error_description":"AADSTS50000: There was an error issuing a
token. AADSTS65005: No permission to access \u0027https://graph.windows.net\u0027
resource is configured for \u0027d2037ff7-24e4-4cac-8e5e-16e370b36238\u0027 application,
or it is expired or revoked.\r\nTrace ID: 472aa92f-35a2-4ed9-ab07-
12488cc9e6f5\r\nCorrelation ID: b163dde5-eac5-4c82-99ad-0e1100487cb9\r\nTimestamp: 2013-
09-23 05:28:41Z","error_codes":[50000,65005],"timestamp":"2013-09-23
05:28:41Z","trace_id":"472aa92f-35a2-4ed9-ab07-12488cc9e6f5","correlation_id":"b163dde5-
eac5-4c82-99ad-0e1100487cb9"}
Why this error even when the app has been granted access. 为什么即使已授予该应用访问权限,也会出现此错误。 I tried to lookup the STS errors but found no explanation. 我试图查找STS错误,但没有找到解释。 Any ideas? 有任何想法吗?
[update] [更新]
SAML process continues to work for the external tenant however ie I can use the app for SAML(SSO) login for this external tenant. SAML流程继续为外部租户工作,例如,我可以使用该应用程序对此外部租户进行SAML(SSO)登录。 The problem only seems to be coming for getting access to the graph API. 该问题似乎只是为了访问图形API而出现。
1 个解决方案
解决方案1
1 2014-09-11 12:06:38
Try adding &prompt=consent or &prompt=admin_consent to the full authorize URL to re-request the user consent. 尝试将&prompt=consent或&prompt=admin_consent到完整的authorize URL中,以重新请求用户同意。 My experience has been that the consent will be randomly revoked (maybe a bug) and will not ever be automatically re-requested (definitely a bug). 我的经验是,同意将被随机撤销(可能是错误),并且永远不会自动重新请求(肯定是错误)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.