[英]Azure Data Lake Storage Gen2 access token generation - "AADSTS65001: The user or administrator has not consented to use the application with ID
I'm trying to generate access and refresh tokens to be able to sign in to the Azure Data Lake Storage Gen2 using external application with allows OAuth. 我正在尝试生成访问和刷新令牌,以便能够使用带有允许OAuth的外部应用程序登录到Azure Data Lake Storage Gen2。
What was done: 做了什么:
Created Storage account using https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account 使用https://docs.microsoft.com/zh-cn/azure/storage/blobs/data-lake-storage-quickstart-create-account创建的存储帐户
Created Azure AD application using https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal 使用https://docs.microsoft.com/zh-cn/azure/active-directory/develop/howto-create-service-principal-portal创建了Azure AD应用程序
Granted admin consent to application from the 2nd step - https://i.imgur.com/myMtkeu.png 从第二步开始授予管理员同意申请的权限-https: //i.imgur.com/myMtkeu.png
Also granted admin consent to enterprise apps with name as the app from step 2 https://i.imgur.com/BPX48NE.png 还授予管理员对企业应用程序的同意,其名称为步骤2中的应用程序https://i.imgur.com/BPX48NE.png
Steps 3 and 4 were done as described here - https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#grant-admin-consent-when-registering-an-app-in-the-azure-portal 步骤3和步骤4如此处所述-https: //docs.microsoft.com/zh-cn/azure/active-directory/manage-apps/configure-user-consent#grant-admin-consent-when-registering-一个应用内-内式天青门户
Then I generated authorization code 然后我生成了授权码
https://login.microsoftonline.com/<TENANT ID>/oauth2/v2.0/authorize?client_id=<CLIENT ID>&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345
After that I tried to get the token 之后,我尝试获取令牌
curl -X POST https://login.microsoftonline.com/<TENANT ID>/oauth2/token \
-F redirect_uri=https://localhost/myapp/ \
-F grant_type=authorization_code \
-F resource=https://management.core.windows.net/ \
-F client_id=<CLIENT ID> \
-F client_secret=<CLIENT SECRET> \
-F code=OAQABAAIAAAAP0wLlqdLVToOpA4kwzSnxLhHJrARX8557... (Authorization code)
As a result received the error below 结果收到以下错误
"error":"invalid_grant","error_description":"AADSTS65001:
The user or administrator has not consented to use the application with ID
'<CLIENT ID>' named '<APP NAME>'. Send an interactive authorization request
for this user and resource.\r\nTrace ID: <TRACE ID>\r\nCorrelation ID:
<CORRELATION ID>\r\nTimestamp: 2019-09-03 13:31:50Z","error_codes":[65001],
"timestamp":"2019-09-03 13:31:50Z","trace_id":"<TRACE ID>",
"correlation_id":"<CORRELATION ID>","suberror":"consent_required"```
You got the authorization code by using V2.0 endpoint, but you used v1.0 when you got the token. 您通过使用V2.0端点获得了授权代码,但是在获得令牌时使用了v1.0。 And the value of resource is not correct.
资源价值不正确。
Try with below 请尝试以下
Get authorization code 获取授权码
https://login.microsoftonline.com/<TENANT ID>/oauth2/authorize?client_id=<CLIENT ID>&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&resource=https://datalake.azure.net/&state=12345
get the token 获得令牌
curl -X POST https://login.microsoftonline.com/<TENANT ID>/oauth2/token \
-F redirect_uri=https://localhost/myapp/ \
-F grant_type=authorization_code \
-F resource=https://datalake.azure.net \
-F client_id=<CLIENT ID> \
-F client_secret=<CLIENT SECRET> \
-F code=OAQABAAIAAAAP0wLlqdLVToOpA4kwzSnxLhHJrARX8557... (Authorization code)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.