找不到范围(scp)中的Azure AD访问令牌
[英]Azure AD Access token in not found Scope (scp)
问题描述
I have created a multi-tenant application in Azure AD When I trying to get access token and check in jwt.io I found scp (Scope) is missing. 
我在Azure AD中创建了一个多租户应用程序,当我尝试获取访问令牌并签入jwt.io时,我发现缺少scp(作用域)。
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.ReadWrite%20User.ReadBasic.All%20Sites.ReadWrite.All%20Contacts.ReadWrite%20People.Read%20Notes.ReadWrite.All%20Tasks.ReadWrite%20Mail.ReadWrite%20Files.ReadWrite.All%20Calendars.ReadWrite";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&scope=https://graph.windows.net/directory.read%20https://graph.windows.net/directory.write";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token";
//string authority = "https://login.microsoftonline.com/{0}";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.Read%20User.ReadWrite%20User.ReadBasic.All";
//string authority = "https://login.microsoftonline.com/{0}/oauth2/token?scope=User.ReadBasic.All";
//string authority = "https://login.microsoftonline.com/{0}/oauth2/token?scope=User.ReadBasic.All";
string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/token?response_type=token&scope=User.ReadBasic.All";
I have tried many combinations for authority URL 我已经尝试了多种组合的授权URL
string graphResourceId = "https://graph.microsoft.com";
string clientId = "XXXX";
string secret = "XXXX";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret)).Result;
How to get scope of microsoft.graph resource? 如何获得microsoft.graph资源的范围?
1 个解决方案
解决方案1
4 已采纳 2018-10-08 09:28:08
If it is delegated permissions which are presented to the resource at run-time as "scp" claims in the client's access token. 如果是委派的权限,这些权限将在运行时作为客户端访问令牌中的“ scp”声明提供给资源。
But you are using Application permission, which specify role-based access using the client application's credentials/identity, are presented to the resource at run-time as " roles " claims in the client's access token. 但是您正在使用“ 应用程序”权限,该权限使用客户端应用程序的凭据/身份指定基于角色的访问,并在运行时作为客户端访问令牌中的“ 角色 ”声明提供给资源。
" Delegated " permissions, which specify scope-based access using delegated authorization from the signed-in resource owner , are presented to the resource at run-time as " scp " claims in the client's access token.
Application permissions, which specify role-based access using the client application's credentials/identity, are presented to the resource at run-time as " roles " claims in the client's access token.
How to get scope of microsoft.graph resource?
We could get the answer from this link . 我们可以从此链接获得答案。
Permission requests are configured on the " Applications " / "Settings" tab in the Azure portal, under "Required Permissions", by selecting the desired "Delegated Permissions" and "Application Permissions" (the latter requires membership in the Global Admin role).
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.