[英]JWT CSOM/REST Azure Active Directory
We have been trying to make requests to sharepoint using CSOM/REST Authentication Bearer header requests with a token. 我们一直在尝试使用带有令牌的CSOM / REST身份验证承载头请求来请求共享点。 It is related to this question below: 与下面的这个问题有关:
C# CSOM Sharepoint Bearer request from azure active directory 来自Azure活动目录的C#CSOM Sharepoint Bearer请求
There is only one link/example that works all others including the android ADAL approach don't work. 只有一个链接/示例对所有其他链接都有效,包括android ADAL方法不起作用。
https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/ https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/
They don't seem to return as long a token, when we look at the token in JWT parser, we can see that the scp value is different, the one that fails has user_impersonate , but the working one has AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write . 他们似乎并没有返回那么长的令牌,当我们在JWT解析器中查看令牌时,我们可以看到scp值是不同的,失败的具有user_impersonate ,但是工作的具有AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write 。 The aud url is also different, are one or both of these the problem and how do I get it working? 音频网址也不同,这是问题之一还是两者都是,我如何使它工作?
This is the ones that fails: 这是失败的:
{
"aud": "https://srmukdev.onmicrosoft.com/3Squared-Api-Test",
"iss": "...",
"iat": ...,
"nbf": ...,
"exp": ..,
"acr": "...",
"aio": "...",
"amr": [
"pwd",
"mfa"
],
"appid": "...",
"appidacr": "0",
"e_exp": ...,
"family_name": "...",
"given_name": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"onprem_sid": "...",
"platf": "3",
"scp": "user_impersonation",
"sub": "...",
"tid": "...",
"unique_name": "...",
"upn": "...",
"ver": "1.0"
}
This is the ones that works: 这是可行的:
{
"aud": "https://srmukdev.sharepoint.com/",
"iss": "...",
"iat": ...,
"nbf": ...,
"exp": ...,
"acr": "...",
"aio": "...",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "...",
"appid": "...",
"appidacr": "0",
"e_exp": ...,
"family_name": "...",
"given_name": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"onprem_sid": "...",
"platf": "3",
"puid": "...",
"scp": "AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write",
"sub": "...",
"tid": "...",
"unique_name": "...",
"upn": "...",
"ver": "1.0"
}
The access token is for the specific resource by checking its aud
claim. 通过检查其aud
声明,访问令牌用于特定资源。 The first token is used for authentication for your custom resource. 第一个令牌用于身份验证您的自定义资源。
To get the token for the specific resource, we can use the parameter resource
to specify which resource we want to request for the token. 要获取特定资源的令牌,我们可以使用参数resource
来指定我们要请求令牌的资源。 For example, if I want to get the token for the Microsoft Graph resource, we can construct the request like below: 例如,如果我想获取Microsoft Graph资源的令牌,我们可以像下面这样构造请求:
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd
If you want to acquire the access token for https://srmukdev.sharepoint.com/
, you need to assign the value of resource
parameter with https://srmukdev.sharepoint.com/
in the request according to the flow you were using. 如果要获取https://srmukdev.sharepoint.com/
的访问令牌,则需要根据所使用的流程在请求中使用https://srmukdev.sharepoint.com/
分配resource
参数的值。
More detail about the flows Azure AD support to acquire access token, you can refer the link below: 有关Azure AD支持获取访问令牌的流程的更多详细信息,您可以参考以下链接:
Azure Active Directory Authentication Protocols Azure Active Directory身份验证协议
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.