具有不同受众的 Azure AD 范围
[英]Azure AD Scopes with different audiences
问题描述
I've adapted the Azure Mobile Apps example ( https://github.com/Azure/azure-mobile-apps ) and got it to work with the DataSyncClient (for offline sync).
我已经调整了 Azure 移动应用程序示例 ( https://github.com/Azure/azure-mobile-apps ) 并让它与 DataSyncClient 一起使用(用于离线同步)。 However I would like to reuse the token I get during authentication via the IdentityClient to call the Microsoft Graph API.但是,我想重用我在身份验证期间通过 IdentityClient 获得的令牌来调用 Microsoft Graph API。 This is failing and I guess it is due to the scopes I use.这是失败的,我想这是由于我使用的范围。
Other than in the samples documentation I needed to use the real TenantID instead of "common" which is, I guess, because of the setup of my companies tenant.除了在示例文档中,我需要使用真实的 TenantID 而不是“common”,我猜这是因为我公司租户的设置。 Secondly, probably related to the above, I had to setup my scope for the "access_as_user" permission as "api://<client_id>/access_as_user".其次,可能与上述有关,我必须将“access_as_user”权限的范围设置为“api://<client_id>/access_as_user”。 Now I would need the additional scope "User.Read", but if I request them both together (to be able to reuse the received token), I get a "Invalid audience" when using the token for the graph API call.现在我需要额外的范围“User.Read”,但如果我同时请求它们(以便能够重用接收到的令牌),则在使用图形 API 调用的令牌时会得到“无效的受众”。
Any idea?任何想法? BR, Daniel BR,丹尼尔
1 个解决方案
解决方案1
1 已采纳 2022-05-18 10:51:33
You need to get 2 access tokens.您需要获得 2 个访问令牌。 One access token only works for one API.一个访问令牌仅适用于一个 API。 Typically you can get the second token without a second login prompt (eg with refresh token, MSAL handles this for you).通常,您可以在没有第二次登录提示的情况下获得第二个令牌(例如,使用刷新令牌,MSAL 会为您处理)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.