[英]Azure active directory double consent, non-deterministic flow
I have an app registration in Azure with the following configured permissions:我在 Azure 中注册了一个具有以下配置权限的应用程序:
From within my application, I start an oauth flow with the following url (redacted params with XXXXXXX):在我的应用程序中,我使用以下 url(使用 XXXXXXX 编辑参数)启动 oauth 流程:
https://login.microsoftonline.com/common/oauth2/authorize
?client_id=XXXXXXX
&grant_type=client_credentials
&redirect_uri=XXXXXXX
&resource=https%3A%2F%2Foutlook.office365.com
&response_type=code&scope=openid+email+profile+full_access_as_app
&state=XXXXXXX
My user gets the same consent screen twice (notice the different URLs):我的用户两次获得相同的同意屏幕(注意不同的 URL):
and then:进而:
Then they are redirected to the redirect_url
.然后它们被重定向到redirect_url
。
In the callback, most of the times I get:在回调中,大多数时候我得到:
access_denied | AADSTS650051: Claim is invalid: User.Read does not exist in client application's RequiredResourceAccess.
And the application is not added in the list of authorized applications for the user in Azure Portal.并且该应用程序未添加到 Azure 门户中用户的授权应用程序列表中。
However, sometimes the flow works.但是,有时流程会起作用。
What seems to be the relevant part from the application manifest is:应用程序清单中的相关部分似乎是:
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access XXXXXX on behalf of the signed-in user.",
"adminConsentDisplayName": "Access XXXXXX",
"id": "XXXXXX",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allow the application to access XXXXXX on your behalf.",
"userConsentDisplayName": "Access XXXXXX",
"value": "user_impersonation"
}
],
Questions:问题:
reading your answer again, it may be that you didn't have issues with the things I mentioned.再次阅读您的答案,可能您对我提到的内容没有任何问题。 But I'll leave it here in case it helps you anyway.但我会把它留在这里以防万一它对你有帮助。 Please do comment if you have further questions如果您还有其他问题,请发表评论
Your config and URL look odd.您的配置和 URL 看起来很奇怪。 Do you want to access the API as a user or as an app?您想作为用户还是作为应用程序访问 API? Currently you have both.目前你两者都有。
Your authorize URL sets grant type to client credentials which does not make sense (frankly I'd expect AAD to error on this but I guess response type of code makes it use authorization code flow).您的授权 URL 将授予类型设置为客户端凭据,这是没有意义的(坦率地说,我希望 AAD 在这方面出错,但我猜代码的响应类型使其使用授权代码流)。 Client credentials is a pure back-end flow and does not involve users, so it shouldn't be used in a redirect.客户端凭据是纯后端流,不涉及用户,因此不应在重定向中使用。
If you want to use the application permission correctly, you'll need to simplify your approach.如果您想正确使用应用程序权限,则需要简化您的方法。 Here are the docs for client credentials flow with the v2 endpoint: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow .以下是带有 v2 端点的客户端凭据流的文档: https : //docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow 。 If your app is multi-tenant, you'll need to do consent for your app like you are doing now, before you can actually use the flow.如果您的应用是多租户的,您需要像现在一样为您的应用征得同意,然后才能实际使用流程。 But, if it is only used in your org, you (or an admin) can consent to your permissions in the portal and you can then use the flow right away.但是,如果它仅在您的组织中使用,您(或管理员)可以同意您在门户中的权限,然后您可以立即使用该流程。
You acquire the token with an HTTP call, including your app's credentials + what you want the token for.您通过 HTTP 调用获取令牌,包括应用程序的凭据 + 您想要令牌的用途。 With v2, the scope here should be the app ID / app id URI for Exchange + .default
.对于 v2,此处的范围应该是 Exchange + .default
的应用 ID/应用 ID URI。 I couldn't find a good reference for this regarding Exchange with a quick Google search, but I'll try to check again in a bit once I have my computer open.我无法通过 Google 快速搜索找到有关 Exchange 的良好参考,但是一旦我打开计算机,我会尝试再次检查。
I reproduced your issue yesterday, but today it works fine without any changes.我昨天重现了您的问题,但今天它可以正常工作,无需任何更改。 You can try again.你可以再试一次。 If this issue still exists, just let me know.如果这个问题仍然存在,请告诉我。
By the way, grant_type
parameter isn't needed in the auth url, you can take a look at @junnas's answer.顺便说一句,auth url 中不需要grant_type
参数,您可以查看@junnas 的回答。
Reference:参考:
The differences between Application permissions and Delegated permissions 应用权限和委派权限的区别
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.