使用 Oauth 对 Onedrive 进行身份验证的问题?
[英]Issue with authenticating to Onedrive using Oauth?
问题描述
I am trying to authenticate to Onedrive using the OAuth Token flow process.
我正在尝试使用 OAuth 令牌流程对 Onedrive 进行身份验证。 So basically the user enters their clientid, client secret and then they are redirected to the Microsoft Login screen to authenticate and receive an access token.所以基本上用户输入他们的客户端 ID、客户端密码,然后他们被重定向到 Microsoft 登录屏幕以进行身份验证并接收访问令牌。 I have done the following:我做了以下工作:
public async Task GetTokenAsync(string tenant, string clientId, string clientSecret)
{
HttpResponseMessage resp;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
var req = new HttpRequestMessage(HttpMethod.Post, $"https://login.microsoftonline.com/{tenant}/oauth2/token/");
req.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
{"grant_type", "client_credentials"},
{"client_id", clientId},
{"client_secret", clientSecret},
{"resource", "https://graph.microsoft.com"}
});
try
{
resp = await httpClient.SendAsync(req);
string content = await resp.Content.ReadAsStringAsync();
var jsonObj = new JavaScriptSerializer().Deserialize<dynamic>(content);
string token = jsonObj["access_token"];
}
catch (Exception ex)
{
}
The issue is I want the Microsoft login screen to pop up and the user logs in , once they have been authenticated then the access_token can be extracted.问题是我希望弹出 Microsoft 登录屏幕并让用户登录,一旦他们通过身份验证,就可以提取 access_token。 The process above that I am doing doesnt seem to allow that , what am i doing wrong here ?我正在做的上述过程似乎不允许这样做,我在这里做错了什么?
1 个解决方案
解决方案1
0 2021-07-13 04:40:34
There are a few things I see amiss here.我在这里看到了一些错误。
- If you are looking at user authentication, the client credentials flow is an incorrect approach.如果您正在查看用户身份验证,则客户端凭据流是一种不正确的方法。 Your users are not clients.您的用户不是客户。 Clients are applications that talk to your identity server.客户端是与您的身份服务器通信的应用程序。 Their secrets are supposed to be secrets.他们的秘密应该是秘密。
- If you are initiating a client credentials flow through a web browser, you are bound to hit a CORS error as most identity providers do not allow cross-domain calls to their token endpoints.如果您通过 Web 浏览器启动客户端凭据流,您一定会遇到 CORS 错误,因为大多数身份提供商不允许跨域调用其令牌端点。
- If you are looking to implement user authentication, look into the implicit grant flow[1], or the more secure PKCE flow in OAuth.如果您希望实现用户身份验证,请查看隐式授权流程 [1],或 OAuth 中更安全的 PKCE 流程。 Microsoft provides libraries[2] to assist you here. Microsoft 提供了库 [2] 来帮助您。
References:参考:
[1] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow [1] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
[2] https://developer.microsoft.com/en-us/identity/blogs/msal-js-2-0-supports-authorization-code-flow-is-now-generally-available/ [2] https://developer.microsoft.com/en-us/identity/blogs/msal-js-2-0-supports-authorization-code-flow-is-now-generally-available/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.