堆栈内存溢出
  简体   繁体   English

从 Microsoft 帐户登录不适用于多租户 Azure AD 应用程序

[英]Login from Microsoft account not working for Multitenant Azure AD application

 原文  2019-11-13 15:21:42       azure/ azure-active-directory/ office365/ microsoft-identity-platform

问题描述

I'm building multitenant SaaS web based application.我正在构建基于多租户 SaaS web 的应用程序。 Application is registered in my tenant and each customer with their office 365 subscription will get Service principal object in Azure AD.应用程序已在我的租户中注册,并且每个拥有 Office 365 订阅的客户都将在 Azure AD 中获得服务主体 object。

I'm having problem with login from external account (Microsoft account) in customer tenant.我在从客户租户的外部帐户(Microsoft 帐户)登录时遇到问题。

I created example and tried to see what I can get from access token.我创建了示例并尝试查看我可以从访问令牌中获得什么。

Sample consists from one client application (.js) that uses MSAL library to handle authentication and two APIs that have protected endpoints.示例由一个使用 MSAL 库处理身份验证的客户端应用程序 (.js) 和两个具有受保护端点的 API 组成。 I also created three separate Azure AD applications AlanClient, AlanAPI1, AlanAPI2.我还创建了三个独立的 Azure AD 应用程序 AlanClient、AlanAPI1、AlanAPI2。 Both AlanAPI1 and AlanAPI2 have API exposed (Expose an API section in Azure Portal application) and have specified one consumer AlanClient. AlanAPI1 和 AlanAPI2 都暴露了 API(在 Azure 门户应用程序中暴露 API 部分)并指定了一个消费者 AlanClient。 AlanClient has permission to both APIs. AlanClient 拥有这两个 API 的权限。 All applications are registered with "accessTokenAcceptedVersion": 2 and "signInAudience": "AzureADMultipleOrgs".所有应用程序都注册了“accessTokenAcceptedVersion”:2 和“signInAudience”:“AzureADMultipleOrgs”。

As far as I understood this should be enough to login with据我了解,这应该足以登录

  1. Office 365 account from host tenant来自宿主租户的 Office 365 帐户
  2. Microsoft account that is registered as external user in host tenant在宿主租户中注册为外部用户的 Microsoft 帐户
  3. Office 365 account from guest tenant来宾租户的 Office 365 帐户
  4. Microsoft account that is registered as external user in guest tenant在来宾租户中注册为外部用户的 Microsoft 帐户

Clarification: - host tenant --> Azure AD instance in which application is registered.说明:-主机租户--> Azure AD 实例,其中注册了应用程序。 In error message bellow tenant A. - guest tenant --> Azure AD instance that is only using application在租户 A 下方的错误消息中。 - 来宾租户 --> Azure AD 实例仅使用应用程序

I have a problem with case no.我对案例号有疑问。 4 4

I get this error message: AADSTS50020 : User account 'lovro.p365@...' from identity provider 'live.com' does not exist in tenant 'A' and cannot access the application AlanClient in that tenant.我收到此错误消息: AADSTS50020 :来自身份提供者“live.com”的用户帐户“lovro.p365@...”在租户“A”中不存在,并且无法访问该租户中的应用程序 AlanClient。 The account needs to be added as an external user in the tenant first.需要先将该帐户添加为租户中的外部用户。 Sign out and sign in again with a different Azure AD user account.注销并使用不同的 Azure AD 用户帐户重新登录。

1 个解决方案

解决方案1
 2 已采纳  2019-11-14 02:19:44

The scenes of 2 and 4 should be the same. 2和4的场景应该是一样的。

I have tested both and everything is OK.我已经测试了两者,一切都很好。

You could use OAuth 2.0 auth code grant flow to have a test with it.您可以使用OAuth 2.0 auth code grant flow对其进行测试。

Construct a request to login.microsoftonline.com with your app configurations.使用您的应用配置构造对login.microsoftonline.com的请求。

This URL will look like:这个 URL 看起来像:

https://login.microsoftonline.com/[tenant A]/oauth2/v2.0/authorize?client_id=[client id of the Azure AD app registered in host tenant]&response_type=code&redirect_uri=[redirect uri of the Azure AD app]&nonce=1234&resource=https://graph.microsoft.com . https://login.microsoftonline.com/[tenant A]/oauth2/v2.0/authorize?client_id=[client id of the Azure AD app registered in host tenant]&response_type=code&redirect_uri=[redirect uri of the Azure AD app]&nonce=1234&resource=https://graph.microsoft.com

After signing in with credentials of Microsoft Account in tenant A, you will get a "code" in the address bar.在租户 A 中使用 Microsoft 帐户的凭据登录后,您将在地址栏中获得一个“代码”。 Use this code to request access token:使用此代码请求访问令牌:

POST /[tenant]/oauth2/v2.0/token HTTP/1.1

client_id=[client id of the Azure AD app registered in host tenant]
&scope=https://graph.microsoft.com/user.read
&code=[code got from the previous step]
&redirect_uri=[redirect uri of the Azure AD app]
&grant_type=authorization_code

Then we could get the access token for Microsoft Account as a guest user in tenant A.然后,我们可以作为租户 A 中的来宾用户获取 Microsoft 帐户的访问令牌。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何为 Sass 应用程序使用 Azure 广告多租户 - How to use Azure Ad multitenant for Sass Application 使用Microsoft帐户登录Azure AD V2应用 - Azure AD V2 app login using Microsoft account Azure AD多租户非管理员无法登录-需要获得管理员的同意 - Azure AD multitenant non-admin cant login - requires consent from admin Azure AD多租户权限 - Azure AD multitenant permissions 所有Microsoft帐户的AAD Multitenant App支持登录 - AAD Multitenant App support login for all microsoft account 在 Azure AD 的 MultiTenant 应用程序中允许或限制特定的 Tetant 用户 - Allow or Restrict Specific Tetant's user in MultiTenant application in Azure AD 如何使用Azure AD身份验证限制多租户应用程序中的租户 - How to restrict tenants in multitenant application with Azure AD authentication Azure AD登录-如果我的应用程序的缓存帐户错误,如何允许用户更改Azure帐户 - Azure AD login - how to allow user to change Azure account if cached account is wrong for my application Azure AD 作为多租户标识提供者 - Azure AD as a multitenant identity provider 无法登录多租户应用程序 - Unable to login in multitenant application
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM