简体繁体 English

IdentityServer3 Microsoft Graph范围和流程

[英]IdentityServer3 Microsoft Graph scopes and flow

原文 2016-12-14 16:40:07 7 1 c#/ azure/ azure-active-directory/ identityserver3/ microsoft-graph

My solution has been working fine authenticating against Azure AD via IdentityServer3. 我的解决方案一直在通过IdentityServer3对Azure AD进行良好的身份验证。 Now we're trying to integrate some Microsoft Graph features. 现在，我们正在尝试集成一些Microsoft Graph功能。 Sadly, it's failing miserably. 可悲的是，它失败了。

Running through one of the demo ( https://graph.microsoft.io/en-us/docs/get-started/aspnetmvc ) projects, the documentation details the registration of a new application at the Microsoft App Registration Portal ( https://apps.dev.microsoft.com ) and explicitly tell the application to allow implicit flow. 通过一个示例项目（ https://graph.microsoft.io/en-us/docs/get-started/aspnetmvc ）运行，该文档详细介绍了在Microsoft App Registration Portal（ https：/）上新应用程序的注册。 /apps.dev.microsoft.com ），并明确告知应用程序允许隐式流。

Make sure the Allow Implicit Flow check box is selected, and enter http://localhost:55065/ as the Redirect URI. 确保选中“ 允许隐式流”复选框，然后输入http：// localhost：55065 /作为重定向URI。 The Allow Implicit Flow option enables the OpenID Connect hybrid flow. 允许隐式流选项启用OpenID Connect混合流。 During authentication, this enables the app to receive both sign-in info (the id_token) and artifacts (in this case, an authorization code) that the app uses to obtain an access token. 在身份验证期间，这使应用程序可以接收应用程序用来获取访问令牌的登录信息（id_token）和工件（在这种情况下为授权码）。

Of course, we already have an application registered on our production portal of Azure that does our Authentication, and from our Client in IdentityServer3, we have the flows set as Flow = Flows.Implicit which would seem to indicate that we're now only allowing implicit flow, but expecting implicit flow. 当然，我们已经在Azure的生产门户上注册了进行身份验证的应用程序，并且从IdentityServer3中的客户端将流设置为Flow = Flows.Implicit ，这似乎表明我们现在仅允许隐式流，但期望隐式流。

When I add in the additional scopes - offline_access User.Read Mail.Send - I'm no longer able to successfully authenticate, instead, I'm receiving an error stating Invalid Scope . 当我添加其他范围时offline_access User.Read Mail.Send我不再能够成功进行身份验证，相反，我收到一条错误消息，指出Invalid Scope 。

My concern is that the "Microsoft App Registration Portal" is just different enough from real life, that something is not being set properly. 我担心的是，“ Microsoft应用程序注册门户”与现实生活完全不同，未正确设置某些内容。 There's no specific "Allow Implicit Flow" setting on production Azure App Registration, so is it really accepting Implicit Flow ? 生产Azure应用注册上没有特定的“允许隐式流程”设置，因此它真的接受Implicit Flow吗？

Has anyone had any luck integrating these two systems and receiving the desired results of full utilization of Microsoft Graph from a single authentication against Azure AD utilizing IdentityServer3? 是否有人能将这两个系统集成在一起并从使用IdentityServer3针对Azure AD的单个身份验证中获得Microsoft Graph的完全利用所期望的结果？

1 个解决方案

Enabling the implicit grant flow in the Azure AD Registration portal requires adding "oauth2AllowImplicitFlow":true in your app manifest. 要在Azure AD注册门户中启用隐式授予流，需要在应用清单中添加"oauth2AllowImplicitFlow":true 。 The "Enabling OAuth 2.0 implicit grant for Single Page Applications" section of this document has detailed step-by-step directions on how to do that: 本文档的“为单页应用程序启用OAuth 2.0隐式授予”部分详细说明了如何执行此操作的分步说明：

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-integrating-applications https://docs.microsoft.com/zh-cn/azure/active-directory/active-directory-integrating-applications

Additionally implicit grant flows will not give you a refresh token, the offline_access scope is specifically asking for a refresh token. 另外，隐式授予流不会提供刷新令牌， offline_access范围专门要求刷新令牌。 I would suggest removing that scope. 我建议删除该范围。

Here's a good doc for more reading on the details of implicit grant on AAD: 这是一个很好的文档，可以进一步阅读有关AAD隐式授予的详细信息：

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-dev-understanding-oauth2-implicit-grant https://docs.microsoft.com/zh-cn/azure/active-directory/active-directory-dev-understanding-oauth2-implicit-grant