堆栈内存溢出
  简体   繁体   English

Azure AD 范围、权限和令牌如何与公开 API 一起工作?

[英]How Azure AD scopes, permissions and tokens work with exposing API?

 原文  2022-09-22 07:53:36       azure/ react-native/ azure-active-directory/ access-token

问题描述

I am currently working on React Native app that uses Azure as backend and I am having trouble to call API in azure LogicApp that requires custom scope. I am currently working on React Native app that uses Azure as backend and I am having trouble to call API in azure LogicApp that requires custom scope. We have this scope in "AppRegistration/Expose an API".我们在“AppRegistration/Expose an API”中有这个 scope。 ( screenshot-expose an API ) 截图-暴露一个 API

In the mobile app I ask for scopes "openid", "profile", "email", "offline_access" .在移动应用程序中,我要求范围“openid”、“profile”、“email”、“offline_access” I need to call Microsoft Graph for user information.我需要致电 Microsoft Graph 以获取用户信息。 This is no problem as we added required permissions (User.ReadWrite.All) into AppRegistration/permissions.这没有问题,因为我们在 AppRegistration/permissions 中添加了所需的权限 (User.ReadWrite.All)。

  • I can call what I need我可以调用我需要的
  • I get refresh token which I need我得到了我需要的刷新令牌

But I cannot call our API due to invalid token (http 401).但由于令牌无效(http 401),我无法调用我们的 API。

So the question is, how to properly setup permissions and scopes in the AppRegistration?那么问题来了,如何在 AppRegistration 中正确设置权限和范围?

What I have tried:我试过的:

  • adding required scope to mobile application将所需的 scope 添加到移动应用程序

    • this cause my other scopes to "disappear".这导致我的其他范围“消失”。 So in my decoded token i can see only this scope.所以在我解码的令牌中,我只能看到这个 scope。
    • Additionaly I don't receive valid refresh token and I cannot call Microsoft Graph with access token I get.另外,我没有收到有效的刷新令牌,也无法使用获得的访问令牌调用 Microsoft Graph。

  • not adding scope to the mobile app but adding permission to custom API into permissions.没有将 scope 添加到移动应用程序,而是将自定义 API 的权限添加到权限中。 ( screenshot-permissions ) 截图权限

    • this way I still couldnt call custom API这样我仍然无法调用自定义 API

I really don't understand why the scopes I ask from mobile app are ignored and why permissions from AppRegistration are not working either when I ask for the custom scope from "Expose an API".我真的不明白为什么我从移动应用程序询问的范围被忽略了,为什么当我从“公开 API”询问自定义 scope 时,为什么来自 AppRegistration 的权限不起作用。

1 个解决方案

解决方案1
 0  2022-09-22 11:59:16

As Tiny Wang said, i have to obtain 2 pairs of tokens.正如 Tiny Wang 所说,我必须获得 2 对代币。 One for each API resource.每个 API 资源一个。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure AD + Graph API:获得新权限后如何重新同意? - Azure AD + Graph API: How to reconsent after new permissions? 如何配置 Azure AD 以启用刷新令牌 - How to configure Azure AD to enable refresh tokens 使用 Powershell 将范围添加到 Azure AD 应用程序(公开 API) - Adding Scopes to Azure AD Application with Powershell (Expose an API) 为什么在 Azure AD 的“请求 API 权限”中禁用了“应用程序权限”? - Why is "Application permissions" disabled in Azure AD's "Request API permissions"? Azure 应用注册 - 范围和权限 - Azure App Registration - scopes and permissions 了解如何在 Azure AD 中使用范围进行用户授权 - Understanding how scopes can be used for user authorization in Azure AD Azure AD:无法从此api版本发行令牌 - Azure AD: Unable to issue tokens from this api version Azure AD:如何设置应用程序的自定义权限? - Azure AD: how to setup custom permissions for app? Azure AD 何时使用 API 权限与公开 API - Azure AD When to use API Permissions vs Expose an API API 权限和 Azure AD 中公开 API 之间有什么区别? - What is the difference between API permissions and expose API in Azure AD?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM