Scope 未添加到从 Azure 广告返回的访问令牌
[英]Scope is not being added to Access Token returned from Azure Ad
问题描述
Overview
概述
We have an Azure AD secured API living in Azure as a web app.我们有一个 Azure AD 安全 API 生活在 Azure 作为 web 应用程序。 We need to be able to:我们需要能够:
- Trigger this API via user interaction from a client application (this part works).通过来自客户端应用程序的用户交互触发此 API(这部分有效)。
- Trigger this API programmatically from a scheduled job that will simply get a token & hit this API (this part does not work due to authentication issues).从计划的作业中以编程方式触发此 API,该作业将简单地获取令牌并点击此 API(由于身份验证问题,此部分不起作用)。
Problem问题
The issue is that when we request a token from Azure AD, scope is not being set in our token claims resulting in the API rejecting the token.问题是,当我们从 Azure AD 请求令牌时,scope 未在我们的令牌声明中设置,导致 API 拒绝令牌。
This is the request we are making:这是我们提出的要求:
This request returns an access token with the following claims:此请求返回具有以下声明的访问令牌:
{
"aud": "<our api client id>",
"iss": "https://login.microsoftonline.com/<tenantId>/v2.0",
"iat": 1644421512,
"nbf": 1644421512,
"exp": 1644425412,
"aio": "<value>",
"azp": "<scheduled job client id>",
"azpacr": "1",
"oid": "<guid>",
"rh": "<value>",
"sub": "<guid>",
"tid": "<guid>",
"uti": "<value>",
"ver": "2.0"
}
As you can see scp (scope) is not included in the token claims even though we include it in the request.正如您所见, scp (范围)未包含在令牌声明中,即使我们将其包含在请求中也是如此。
If we use this token to make a request to our API we get the following error:如果我们使用此令牌向我们的 API 发出请求,我们会收到以下错误:
System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
Any help on how we can get an access token from Azure AD with the proper scope/permissions to call our API, would be greatly appreciated.任何关于我们如何从 Azure AD 获得访问令牌并具有适当范围/权限以调用我们的 API 的任何帮助,将不胜感激。
Note笔记
The Azure AD App Registration for our scheduled job that will request a token and then hit our API, does have the Delegated API Permission access_as_user which you can see I am including in the token request's scope.我们预定作业的 Azure AD 应用程序注册将请求令牌,然后点击我们的 API,确实具有委托 API 权限access_as_user ,您可以看到我将其包含在令牌请求的 scope 中。
1 个解决方案
解决方案1
6 已采纳 2022-02-10 07:31:34
The above is expected as using client credentials you can't get the delegated permissions ie the access_as_user permission and also the scope in client credentials should be used as api://<APP_ID>/.default .以上是预期的,因为使用客户端凭据您无法获得委派权限,即access_as_user权限,并且客户端凭据中的 scope 应用作api://<APP_ID>/.default 。 So, If you want delegated permissions then you will have to use implicit grant flow instead of client credentials.因此,如果您想要委派权限,那么您将不得不使用隐式授权流程而不是客户端凭据。
For testing, I created two app registrations, One on which API is exposed (Postman) and other which is to be used for authentication (Powershelltest) and then, I have tested the same in 2 different scenarios like one for client credentials and another for implicit grant:为了进行测试,我创建了两个应用程序注册,一个公开了 API(Postman),另一个用于身份验证(Powershelltest),然后,我在两种不同的场景中测试了相同的应用程序,例如一个用于客户端凭据,另一个用于隐式授予:
Main APP whose API has been exposed: API被曝光的主要APP:
App used for authentication:用于身份验证的应用程序:
Scenario 1 Using Client Credential flow:场景 1 使用客户端凭证流程:
Scenario 2 using Implicit Grant flow:使用隐式授权流程的场景 2:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.