简体繁体 English

如何为Microsoft OAuth2提供程序的Native应用程序指定localhost loopback redirect_uri？

[英]How can I specify localhost loopback redirect_uri for Native application for Microsoft OAuth2 provider?

原文 2019-06-14 12:18:34 2 2 c#/ oauth-2.0

I have the code which authorizes at https://login.live.com/oauth20_authorize.srf endpoint. 我有在https://login.live.com/oauth20_authorize.srf端点授权的代码。

Parameters of the call: "client_id=" + ClientID + "&scope=" + someScopes + "&response_type=code&redirect_uri=" + WebUtility.UrlEncode(" http://localhost:some-port/signin-microsoft ") 调用的参数：“client_id =”+ ClientID +“＆scope =”+ someScopes +“＆response_type = code＆redirect_uri =”+ WebUtility.UrlEncode（“ http：// localhost：some-port / signin-microsoft ”）

http://localhost:port/signin-microsoft is registered as one of Redirect URLs in my app at https://apps.dev.microsoft.com (I had to use Add Platform -> Web to put this redirect_url there). http：// localhost：port / signin-microsoft在我的应用程序中注册为重定向URL之一https://apps.dev.microsoft.com （我必须使用Add Platform - > Web将redirect_url放在那里）。

I run HttpListener (local web server in the app) to intercept the authorization code. 我运行HttpListener（应用程序中的本地Web服务器）来拦截授权代码。 Then I get the code and pass it to this endpoint: 然后我获取代码并将其传递给此端点：

https://login.live.com/oauth20_token.srf https://login.live.com/oauth20_token.srf

Parameters of the call: "client_id=" + ClientID + "&code=" + code + "&grant_type=authorization_code&redirect_uri=" + WebUtility.UrlEncode(" http://localhost:some-port/signin-microsoft ") 调用的参数：“client_id =”+ ClientID +“＆code =”+ code +“＆grant_type = authorization_code＆redirect_uri =”+ WebUtility.UrlEncode（“ http：// localhost：some-port / signin-microsoft ”）

This fails because ClientSecret is missing. 这会失败，因为缺少ClientSecret。 If I add ClientSecret, it works and I get the access and refresh token. 如果我添加ClientSecret，它可以工作，我获得访问和刷新令牌。

However, native apps should not store and send OAuth2 client secrets. 但是，本机应用程序不应存储和发送OAuth2客户端机密。 ClientSecret is required for web apps only. 仅限Web应用程序需要ClientSecret。

Now's the problem. 现在是问题所在。 apps.dev.microsoft.com portal does not let me specify localhost redirect_uri for Native apps. apps.dev.microsoft.com门户网站不允许我为Native应用程序指定localhost redirect_uri。 I can do this for web apps only (in Web / Redirect URLs section). 我只能为Web应用程序执行此操作（在Web / Redirect URL部分中）。 With Native apps, trying to specify any URI always results in "Your URI must be in the format of {scheme}://{domain}/{path}, have no query string parameters, and be limited to 255 characters." 对于Native应用程序，尝试指定任何URI始终会导致“您的URI必须采用{scheme}：// {domain} / {path}的格式，没有查询字符串参数，并且限制为255个字符。” message. 信息。

I seems that only a few predefined values are allowed there (such as https://login.live.com/oauth20_desktop.srf ). 我似乎只允许一些预定义值（例如https://login.live.com/oauth20_desktop.srf ）。 Even if I add or change any single char in this value, it's no longer valid and the portal does not let me save the changes. 即使我在此值中添加或更改任何单个字符，它也不再有效，并且门户网站不允许我保存更改。 I can these predefined values only if I don't have localhost-based redirect_uri. 只有当我没有基于localhost的redirect_uri时，才能使用这些预定义值。 This means I have to use the complex methods of obtaining the authorization code (monitoring browser processes and so on) instead of a simple HttpListener (which is used by Google OAuth2 provider, for instance). 这意味着我必须使用获取授权代码的复杂方法（监视浏览器进程等）而不是简单的HttpListener（例如，Google OAuth2提供程序使用它）。

Is there a way to use localhost as redirect_uri and still not send ClientSecret, when working with Microsoft OAuth2 provider? 在使用Microsoft OAuth2提供程序时，有没有办法使用localhost作为redirect_uri并仍然不发送ClientSecret？

And why can't I specify other URLs in Native Application / Custom Redirect URIs of apps.dev.microsoft.com portal? 为什么我不能在apps.dev.microsoft.com门户的本机应用程序/自定义重定向URI中指定其他URL？ What's the purpose of this form if I anyway can't add any values except of those predefined ones which are already there? 如果我无论如何都不能添加除已经存在的那些预定义值之外的任何值，那么这个表单的目的是什么？

Again, I have no issues adding my custom URL to Web / Redirect URLs on the same page (and everything's working fine then, it's just that I need to deal with ClientSecret which I don't want to). 同样，我在同一页面上将我的自定义URL添加到Web /重定向URL没有问题（一切正常，那就是我需要处理ClientSecret，我不想这样做）。

2 个解决方案

you're supposed to register a loopback Url invoked by the browser, such as http://127.0.0.1:8000 你应该注册一个由浏览器调用的回调Url，比如http://127.0.0.1:8000

Also your code should use the PKCE variation of the Authorization Code Flow - to avoid client secrets 此外，您的代码应使用授权代码流的PKCE变体 - 以避免客户机密

I've not used it with Azure but pretty certain this will work for you 我没有在Azure中使用它，但很确定这对你有用

Some gory details on my blog about this: https://authguidance.com/2018/01/17/desktop-app-how-to-run-the-code-sample/ 我博客上关于此的一些血腥细节： https ： //authguidance.com/2018/01/17/desktop-app-how-to-run-the-code-sample/

Native apps and OAuth are tricky - so happy to help - feel free to ping me any follow up questions 原生应用和OAuth很棘手 - 很乐意提供帮助 - 随时向我发送任何后续问题

OK, the URL which can be added as Custom Redirect URI in Native Application section of apps.dev.microsoft.com portal must look like something.not.http.or.https://something 好的，可以在apps.dev.microsoft.com门户的本机应用程序部分中添加为自定义重定向URI的URL必须看起来像something.not.http.or.https://something

Eg: 例如：

pw.oauth2://oauth2redirect

This kind of a URI is allowed there (where pw.oauth2 is a URL scheme associated with your app, such as, for UWP applications, Package Manifest / Declarations / Protocol / Name). 这里允许使用这种URI（其中pw.oauth2是与您的应用程序关联的URL方案，例如，对于UWP应用程序，包清单/声明/协议/名称）。 It's not exactly localhost loopback but this lets your app be triggered by the browser to intercept the authorization code. 它不完全是localhost环回，但这可以让浏览器触发您的应用程序拦截授权代码。 And ClientSecret is not needed. 并且不需要ClientSecret。

If found the working example (for Google provider) at https://github.com/googlesamples/oauth-apps-for-windows/tree/master/OAuthUniversalApp and was able to adapt it for Microsoft provider with no issues. 如果找到了工作示例（适用于Google提供商），请访问https://github.com/googlesamples/oauth-apps-for-windows/tree/master/OAuthUniversalApp，并且能够在没有任何问题的情况下为Microsoft提供商进行调整。