[英]Azure AD OAuth token wrong audience (client credentials flow)
I am trying to get a OAuth token (client_credentials flow) to be able to call my API.我正在尝试获取 OAuth 令牌(client_credentials 流)以便能够调用我的 API。 I cannot get the proper audience in the token.我无法在令牌中获得适当的受众。
In Azure AD, I created 2 App Registration.在 Azure AD 中,我创建了 2 个应用注册。 One to represent my API, the other one to represent my Client.一个代表我的 API,另一个代表我的客户。
In my API App Registration, I exposes an API在我的 API 应用程序注册中,我公开了一个 API
As you can see in the screenshot I also added my Client App Registration as an "Authorized client applications".正如您在屏幕截图中看到的那样,我还将我的客户端应用程序注册添加为“授权客户端应用程序”。
I also added an App Role.我还添加了一个应用角色。
In my Client App Registration, I created a secret to authenticate.在我的客户端应用程序注册中,我创建了一个秘密来进行身份验证。
I also added my API App Registration in the "API Permissions" and also Granted Admin Consent.我还在“API 权限”中添加了我的 API 应用程序注册,并获得了管理员同意。
My problem is when I am trying to get a token from Azure AD.我的问题是当我试图从 Azure AD 获取令牌时。 I do the following in Postman:我在 Postman 中执行以下操作:
But the token I get does not contain the audience I specified.但是我得到的令牌不包含我指定的受众。 It contains the default "Graph API" Audience.它包含默认的“图形 API”受众。
I've been reading on OAuth for the past 2 days but I can't figure out what I am doing wrong.在过去的两天里,我一直在阅读 OAuth,但我不知道我做错了什么。
Also, please note that I cannot use the v2.0 endpoint because in the end, I do all this to be able to authenticate to my API in Power Automate and I don't have the option to use the v2.0 endpoint (and the resource or scope parameters).另外,请注意我不能使用 v2.0 端点,因为最后,我这样做是为了能够在 Power Automate 中对我的 API 进行身份验证,并且我没有使用 v2.0 端点的选项(并且资源或 scope 参数)。
Here's the token decoded这是解码的令牌
Any help will be greatly appreciated.任何帮助将不胜感激。
In summary, I will post it as an answer.总之,我会将其发布为答案。
Like I said in the comments, if you are using the OAuth 2.0 protocol, when you use the v1.0
endpoint to request an access token, you should use the resource
parameter instead of the audience
parameter, because the audience
parameter is not recognized by the OAuth 2.0 protocol.就像我在评论中说的,如果您使用的是 OAuth 2.0 协议,当您使用v1.0
端点请求访问令牌时,您应该使用resource
参数而不是audience
参数,因为audience
参数无法识别OAuth 2.0 协议。 Even if you do not selected this parameter in postman, you should be able to obtain a default ms graph api token.即使在 postman 中没有选择此参数,您也应该能够获得默认的 ms 图形 api 令牌。
The audience
parameter is commonly used in Auth0 organization, but it has some differences from the OAuth 2.0 protocol. audience
参数在 Auth0 组织中常用,但与 OAuth 2.0 协议有一些区别。 The request URL of Auth0 is as follows: Auth0的请求URL如下:
curl --request POST \
--url 'https://YOUR_DOMAIN/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=YOUR_CLIENT_ID \
--data client_secret=YOUR_CLIENT_SECRET \
--data audience=YOUR_API_IDENTIFIER
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.