为什么在Azure AD中我的“访问授权格式不正确”?
[英]Why is my “access grant malformed” in Azure AD?
问题描述
I'm trying to get single sign-on working in Azure Active Directory, using this bit of documentation as a guide. 
我正在尝试使用此文档作为指导在Azure Active Directory中进行单点登录。 However, when I get up to the "access token request" stage, I get the following error: 但是,当我进入“访问令牌请求”阶段时,出现以下错误:
Error validating credentials.
Searching the Internet, it seems that this is usually caused by the redirect_uri parameter being missing in the second step or different between the two steps, but that doesn't seem to be the case here. 在Internet上搜索,这似乎通常是由于第二步中缺少redirect_uri参数或两个步骤之间存在差异而导致的,但此处似乎并非如此。
Here's what's happening in each step: 这是每个步骤中正在发生的事情:
Authorize step (raw HTTP request from browser): 授权步骤(来自浏览器的原始HTTP请求):
GET /[snip tenant id]/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fpost-login%3Fdest%3D%252F&response_type=code&client_id=[snip client id] HTTP/1.1
Host: login.windows.net
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-AU,en;q=0.8,en-US;q=0.6
Cookie: [snip a handful of cookies]
Redirect step (raw HTTP request from browser): 重定向步骤(来自浏览器的原始HTTP请求):
GET /post-login?code=[snip base64]&session_state=[snip uuid] HTTP/1.1
Host: localhost:5000
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-AU,en;q=0.8,en-US;q=0.6
Cookie: csrftoken=vBjLMAFTw7NSFEJHb2t9GTA0Eoced4rw; azure-redirect-uri="http://localhost:5000/post-login?dest=%2F"
Token request step (raw HTTP request from server code): 令牌请求步骤(来自服务器代码的原始HTTP请求):
POST /[snip tenant id]/oauth2/token HTTP/1.1
Host: login.windows.net
Content-Length: 805
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.5.0 CPython/2.7.6 Darwin/14.0.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fpost-login%3Fdest%3D%252F&client_secret=Dsysz7F%2FXh2Wu1YKE%2BVEOkvMHhvc38DnwFTa5qekyXM%3D&code=[snip base64]&client_id=[snip client id]&grant_type=authorization_code
Response to token request (Python dict parsed from JSON returned): 对令牌请求的响应(从JSON返回的Python dict返回):
{
u'timestamp': u'2014-12-09 05:37:58Z',
u'trace_id': u'ae00a782-30f1-4e1c-a183-f19330ecca37',
u'submit_url': None,
u'correlation_id': u'21a7b861-5171-4083-9da5-67e7d956ab5e',
u'error_description': u'AADSTS70002: Error validating credentials. AADSTS70000: The provided access grant is invalid or malformed.\r\nTrace ID: ae00a782-30f1-4e1c-a183-f19330ecca37\r\nCorrelation ID: 21a7b861-5171-4083-9da5-67e7d956ab5e\r\nTimestamp: 2014-12-09 05:37:58Z',
u'context': None,
u'error': u'invalid_grant',
u'error_codes': [70002, 70000]
}
1 个解决方案
解决方案1
3 已采纳 2014-12-10 01:42:50
Your token request is failing because of the query parameter at the end of your redirect uri. 您的令牌请求失败,因为重定向uri末尾的查询参数。 OAuth redirect URI's should not have any query parameters or fragments. OAuth重定向URI不应包含任何查询参数或片段。 You can use the state parameter instead. 您可以改用state参数。
I don't think that the authorize call should have succeeded either, but clearly it did. 我认为授权调用也不应该成功,但是显然可以。 I am checking to see if that is a bug. 我正在检查这是否是一个错误。
See this link for some more information on how to use the OAuth state parameter: 有关如何使用OAuth状态参数的更多信息,请参见此链接:
http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.