[英]Scope is not being added to Access Token returned from Azure Ad
Overview概述
We have an Azure AD secured API living in Azure as a web app.我们有一个 Azure AD 安全 API 生活在 Azure 作为 web 应用程序。 We need to be able to:我们需要能够:
Problem问题
The issue is that when we request a token from Azure AD, scope is not being set in our token claims resulting in the API rejecting the token.问题是,当我们从 Azure AD 请求令牌时,scope 未在我们的令牌声明中设置,导致 API 拒绝令牌。
This is the request we are making:这是我们提出的要求:
This request returns an access token with the following claims:此请求返回具有以下声明的访问令牌:
{
"aud": "<our api client id>",
"iss": "https://login.microsoftonline.com/<tenantId>/v2.0",
"iat": 1644421512,
"nbf": 1644421512,
"exp": 1644425412,
"aio": "<value>",
"azp": "<scheduled job client id>",
"azpacr": "1",
"oid": "<guid>",
"rh": "<value>",
"sub": "<guid>",
"tid": "<guid>",
"uti": "<value>",
"ver": "2.0"
}
As you can see scp
(scope) is not included in the token claims even though we include it in the request.正如您所见, scp
(范围)未包含在令牌声明中,即使我们将其包含在请求中也是如此。
If we use this token to make a request to our API we get the following error:如果我们使用此令牌向我们的 API 发出请求,我们会收到以下错误:
System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
Any help on how we can get an access token from Azure AD with the proper scope/permissions to call our API, would be greatly appreciated.任何关于我们如何从 Azure AD 获得访问令牌并具有适当范围/权限以调用我们的 API 的任何帮助,将不胜感激。
Note笔记
The Azure AD App Registration for our scheduled job that will request a token and then hit our API, does have the Delegated API Permission access_as_user
which you can see I am including in the token request's scope.我们预定作业的 Azure AD 应用程序注册将请求令牌,然后点击我们的 API,确实具有委托 API 权限access_as_user
,您可以看到我将其包含在令牌请求的 scope 中。
The above is expected as using client credentials you can't get the delegated permissions ie the access_as_user
permission and also the scope in client credentials should be used as api://<APP_ID>/.default
.以上是预期的,因为使用客户端凭据您无法获得委派权限,即access_as_user
权限,并且客户端凭据中的 scope 应用作api://<APP_ID>/.default
。 So, If you want delegated permissions then you will have to use implicit grant flow instead of client credentials.因此,如果您想要委派权限,那么您将不得不使用隐式授权流程而不是客户端凭据。
For testing, I created two app registrations, One on which API is exposed (Postman) and other which is to be used for authentication (Powershelltest) and then, I have tested the same in 2 different scenarios like one for client credentials and another for implicit grant:为了进行测试,我创建了两个应用程序注册,一个公开了 API(Postman),另一个用于身份验证(Powershelltest),然后,我在两种不同的场景中测试了相同的应用程序,例如一个用于客户端凭据,另一个用于隐式授予:
Main APP whose API has been exposed: API被曝光的主要APP:
App used for authentication:用于身份验证的应用程序:
Scenario 1 Using Client Credential flow:场景 1 使用客户端凭证流程:
Scenario 2 using Implicit Grant flow:使用隐式授权流程的场景 2:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.