Azure AD B2C授权代码流-访问graph.windows.net
[英]Azure AD B2C authorization code flow - accessing graph.windows.net
问题描述
I use Azure AD B2C authorization code flow (below I inserted line breaks in URLs and form contents for better visibility). 
我使用Azure AD B2C 授权代码流 (下面在URL和表单内容中插入换行符以提高可见性)。
First I'm opening following URL in browser: 首先,我在浏览器中打开以下URL:
https://mycompany.b2clogin.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=8acddeb9-e950-4d64-802c-dcc9fab4f89b&
response_type=code&
redirect_uri=https%3A%2F%2Fmy-company-site.com%2F&
response_mode=query&
scope=8acddeb9-e950-4d64-802c-dcc9fab4f89b%20offline_access%20openid&
state=arbitrary_data_you_can_receive_in_the_response&
p=B2C_susi_test
After entering credentials I'm getting redirected to 输入凭据后,我将重定向到
https://my-company-site.com/?
state=arbitrary_data_you_can_receive_in_the_response&
code=__authorization_code__
After that I'm trying to request the access_token (here it's for https://graph.windows.net/ ): 之后,我尝试请求access_token (这里是https://graph.windows.net/ ):
POST https://mycompany.b2clogin.com/mycompany.onmicrosoft.com/oauth2/v2.0/token?p=B2C_susi_test
User-Agent: Fiddler
Host: mycompany.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
client_id=8acddeb9-e950-4d64-802c-dcc9fab4f89b
scope=openid+offline_access&
code=__authorization_code__&
redirect_uri=https%3A%2F%2Fmy-company-site.com%2F&
client_secret=__client_secret__&
resource=https%3A%2F%2Fgraph.windows.net%2F
As a result I'm getting following JSON: 结果,我得到以下JSON:
{
"id_token": "__a_token__",
"token_type": "Bearer",
"not_before": 1564662310,
"id_token_expires_in": 3600,
"profile_info": "__some_info__",
"refresh_token": "__refresh_token___",
"refresh_token_expires_in": 1209600
}
First of all, access_token is missing here, but there is id_token , which differs from docs . 首先,这里缺少access_token ,但是有id_token ,它与docs不同。
Then I tried to use id_token for accessing https://graph.windows.net : 然后我尝试使用id_token访问https://graph.windows.net :
GET https://graph.windows.net/mycompany/users/me?api-version=1.6 HTTP/1.1
User-Agent: Fiddler
Host: graph.windows.net
Authorization: Bearer __a_token__
The response (401): 响应(401):
{
"odata.error": {
"code": "Authentication_ExpiredToken",
"message": {
"lang": "en",
"value": "Your access token has expired. Please renew it before submitting the request."
}
}
}
Any ideas why the token is access_token is missing or how to use id_token ? 关于令牌为何是access_token任何想法都丢失了,或者如何使用id_token ?
2 个解决方案
解决方案1
1 2019-08-01 22:35:02
You cannot access any Microsoft First Party services using a an AAD B2C application registration and B2C User Journey. 您不能使用AAD B2C应用程序注册和B2C用户旅程访问任何Microsoft第一方服务。
If you need access to a Microsoft service, use AAD App registrations and AAD flows. 如果您需要访问Microsoft服务,请使用AAD应用程序注册和AAD流程。
In a B2C scenario, where the web server needs access to Graph API, have the web server use client credentials flow against an AAD App Registration within the B2C directory. 在B2C场景中,Web服务器需要访问Graph API,让Web服务器针对B2C目录中的AAD应用注册使用客户端凭据流。
解决方案2
1 已采纳 2019-08-01 22:35:48
You can't acquire an access token for the Azure AD Graph API -- since this API isn't an Azure AD B2C-registered application -- using an Azure AD B2C flow. 您无法使用Azure AD B2C流获取Azure AD Graph API的访问令牌-因为此API并非Azure AD B2C注册的应用程序。
You must acquire it using an Azure AD flow . 您必须使用Azure AD流获取它 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.