堆栈内存溢出
  简体   繁体   English

JWT CSOM / REST Azure活动目录

[英]JWT CSOM/REST Azure Active Directory

 原文  2017-07-27 15:14:32       rest/ authentication/ azure-active-directory/ csom/ bearer-token

问题描述

We have been trying to make requests to sharepoint using CSOM/REST Authentication Bearer header requests with a token. 我们一直在尝试使用带有令牌的CSOM / REST身份验证承载头请求来请求共享点。 It is related to this question below: 与下面的这个问题有关:

C# CSOM Sharepoint Bearer request from azure active directory 来自Azure活动目录的C#CSOM Sharepoint Bearer请求

There is only one link/example that works all others including the android ADAL approach don't work. 只有一个链接/示例对所有其他链接都有效,包括android ADAL方法不起作用。

https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/ https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/

They don't seem to return as long a token, when we look at the token in JWT parser, we can see that the scp value is different, the one that fails has user_impersonate , but the working one has AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write . 他们似乎并没有返回那么长的令牌,当我们在JWT解析器中查看令牌时,我们可以看到scp值是不同的,失败的具有user_impersonate ,但是工作的具有AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write The aud url is also different, are one or both of these the problem and how do I get it working? 音频网址也不同,这是问题之一还是两者都是,我如何使它工作?

This is the ones that fails: 这是失败的: 

{
  "aud": "https://srmukdev.onmicrosoft.com/3Squared-Api-Test",
  "iss": "...",
  "iat": ...,
  "nbf": ...,
  "exp": ..,
  "acr": "...",
  "aio": "...",
  "amr": [
    "pwd",
    "mfa"
  ],
  "appid": "...",
  "appidacr": "0",
  "e_exp": ...,
  "family_name": "...",
  "given_name": "...",
  "ipaddr": "...",
  "name": "...",
  "oid": "...",
  "onprem_sid": "...",
  "platf": "3",
  "scp": "user_impersonation",
  "sub": "...",
  "tid": "...",
  "unique_name": "...",
  "upn": "...",
  "ver": "1.0"
}

This is the ones that works: 这是可行的: 

{
  "aud": "https://srmukdev.sharepoint.com/",
  "iss": "...",
  "iat": ...,
  "nbf": ...,
  "exp": ...,
  "acr": "...",
  "aio": "...",
  "amr": [
    "pwd",
    "mfa"
  ],
  "app_displayname": "...",
  "appid": "...",
  "appidacr": "0",
  "e_exp": ...,
  "family_name": "...",
  "given_name": "...",
  "ipaddr": "...",
  "name": "...",
  "oid": "...",
  "onprem_sid": "...",
  "platf": "3",
  "puid": "...",
  "scp": "AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write",
  "sub": "...",
  "tid": "...",
  "unique_name": "...",
  "upn": "...",
  "ver": "1.0"
}

1 个解决方案

解决方案1
 1 已采纳  2017-07-28 06:06:04

The access token is for the specific resource by checking its aud claim. 通过检查其aud声明,访问令牌用于特定资源。 The first token is used for authentication for your custom resource. 第一个令牌用于身份验证您的自定义资源。

To get the token for the specific resource, we can use the parameter resource to specify which resource we want to request for the token. 要获取特定资源的令牌,我们可以使用参数resource来指定我们要请求令牌的资源。 For example, if I want to get the token for the Microsoft Graph resource, we can construct the request like below: 例如,如果我想获取Microsoft Graph资源的令牌,我们可以像下面这样构造请求: 

POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd

If you want to acquire the access token for https://srmukdev.sharepoint.com/ , you need to assign the value of resource parameter with https://srmukdev.sharepoint.com/ in the request according to the flow you were using. 如果要获取https://srmukdev.sharepoint.com/的访问令牌,则需要根据所使用的流程在请求中使用https://srmukdev.sharepoint.com/分配resource参数的值。

More detail about the flows Azure AD support to acquire access token, you can refer the link below: 有关Azure AD支持获取访问令牌的流程的更多详细信息,您可以参考以下链接:

Azure Active Directory Authentication Protocols Azure Active Directory身份验证协议

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 用于更改 Azure Active Directory 用户个人资料图片的 REST API - REST API to change Azure Active Directory user profile picture Azure Active Directory 用于保护自定义 JS 前端和 Java Rest ZDB974238714CA8ADE4D638 - Azure Active Directory for securing Custom JS Frontend and Java Rest API 通过SharePoint Online上的SP.WebRequestInfo调用Azure活动目录图REST api - azure active directory graph REST api call through SP.WebRequestInfo on SharePoint Online 使用Azure Active Directory作为Spring-boot REST服务的OAUTH2身份验证服务 - Using Azure Active Directory as an OAUTH2 Authentication service for a Spring-boot REST service REST API-发布查询Active Directory的请求 - REST API - Post Requests to Query Active Directory 通过REST进行活动目录,交换,SHAREPOINT - ACTIVE DIRECTORY,EXCHANGE, SHAREPOINT via REST 访问Azure Active Directory用户和角色 - Accessing Azure Active directory users and roles 将Microsoft帐户添加到Azure Active Directory - Adding Microsoft Accounts to Azure Active Directory 使用REST API在Azure存储中创建目录 - Creating a Directory in azure storage with REST API 外部用户的SharePoint REST(和CSOM)失败 - SharePoint REST (and CSOM) fails for External Users
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM