[英]Setup Microsoft Identify Platform and "Missing grant for this add-in" for localhost
I have an Excel add-in where single sign-on was implemented, but recently I realize that the SSO does not work anymore.我有一个实现单点登录的 Excel 加载项,但最近我意识到 SSO 不再起作用。 So I tried to debug it in localhost.
所以我尝试在本地主机上调试它。
First, I met the Missing grant for this add-in
error in my add-in.首先,我在我的加载项中遇到了
Missing grant for this add-in
。 Then, I had the same error with the sample project: https://learn.microsoft.com/en-us/office/dev/add-ins/quickstarts/sso-quickstart .然后,我在示例项目中遇到了同样的错误: https://learn.microsoft.com/en-us/office/dev/add-ins/quickstarts/sso-quickstart 。 Note that I don't have this error with https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-nodejs .
请注意,我没有https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-nodejs的错误。
I created a test Azure account: test.sso.2023@gmail.com
and registered the app .我创建了一个测试 Azure 帐户:
test.sso.2023@gmail.com
并注册了该应用程序。 I put the updated code of sso-quickstart
that produces the error in this repository .我将产生错误的
sso-quickstart
的更新代码放入此存储库中。
After launching the code we could sign in Excel Online in Chrome, then sideload the add-in.启动代码后,我们可以在 Chrome 中在线登录 Excel,然后旁加载加载项。 Clicking on the button
Get My User Profile Information
launched Office.auth.getAccessToken
, which raised the error POST https://login.microsoftonline.com/consumers/oauth2/v2.0/token 400 (Bad Request)
and Missing grant for this add-in.
单击按钮
Get My User Profile Information
启动Office.auth.getAccessToken
,这引发了错误POST https://login.microsoftonline.com/consumers/oauth2/v2.0/token 400 (Bad Request)
和Missing grant for this add-in.
The request https://login.microsoftonline.com/consumers/oauth2/v2.0/token
returned返回的请求
https://login.microsoftonline.com/consumers/oauth2/v2.0/token
AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired.
AADSTS70000:请求被拒绝,因为请求的一个或多个范围未经授权或已过期。 The user must first sign in and grant the client application access to the requested scope...
用户必须首先登录并授予客户端应用程序访问所请求的 scope...
The JSON of my settings on the Microsoft Identity Platform:我在Microsoft Identity Platform上设置的JSON:
{
"id": "f61962fb-722b-465f-a265-4a1e70a744e3",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "e55f4769-4293-4b71-94ea-5eb16dcfe41d",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2023-01-31T19:16:20Z",
"description": null,
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [
"api://localhost:3000/e55f4769-4293-4b71-94ea-5eb16dcfe41d"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "sso",
"notes": null,
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow Office to have read/write permissions to all user files and read permissions to all user mail. Office can call the app's web APIs as the current user.",
"adminConsentDisplayName": "Read/write permissions to user files. Read permissions to user mail and profiles.",
"id": "9b6c01b1-9818-4eb3-898c-e412fad8ae03",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allow Office to have read/write permissions to your files, and read permissions to your mail and profile.",
"userConsentDisplayName": "Read/write permissions to your files. Read permissions to your mail and profile.",
"value": "access_as_user"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2023-07-30T18:17:18.762Z",
"keyId": "10c2239b-b83c-4085-b277-a37931990aa1",
"startDate": "2023-01-31T19:17:18.762Z",
"value": null,
"createdOn": "2023-01-31T19:17:25.3206496Z",
"hint": "~l2",
"displayName": "secret"
}
],
"preAuthorizedApplications": [
{
"appId": "ea5a67f6-b6f3-4338-b240-c655ddc3cc8e",
"permissionIds": [
"9b6c01b1-9818-4eb3-898c-e412fad8ae03"
]
},
{
"appId": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
"permissionIds": [
"9b6c01b1-9818-4eb3-898c-e412fad8ae03"
]
},
{
"appId": "93d53678-613d-4013-afc1-62e9e444a0a5",
"permissionIds": [
"9b6c01b1-9818-4eb3-898c-e412fad8ae03"
]
}
],
"publisherDomain": null,
"replyUrlsWithType": [
{
"url": "https://localhost:3000/fallbackauthdialog.html",
"type": "Spa"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "14dad69e-099b-42c9-810b-d002981feec1",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
},
{
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}
And API permissions which can also be found in the above JSON:而API权限也可以在上面的JSON中找到:
Does anyone know what may be the cause of this error?有谁知道这个错误的原因可能是什么?
Redirect URIs: https://localhost:3000 (should it be https://localhost:3000 or https://localhost:8000?)
重定向 URI:https://localhost:3000(应该是 https://localhost:3000 还是 https://localhost:8000?)
Of course.当然。 There is nothing running on localhost:3000.
localhost:3000 上没有任何运行。 Everything should use the same URL.
一切都应该使用相同的 URL。
Anyway, I'd suggest trying to create an empty add-in and use the automatic tool for registering the web add-in in Azure. Following that way you can be sure that SSO is working correctly for your tenant and the warning shown on the screenshot is not related to that if the sample add-in is working correctly.无论如何,我建议尝试创建一个空加载项并使用自动工具在 Azure 中注册 web 加载项。按照这种方式,您可以确保 SSO 为您的租户正常工作,并且警告显示在如果示例加载项工作正常,屏幕截图与此无关。 Then you can start delving deeper with your existing solution to find the root cause.
然后,您可以开始更深入地研究现有解决方案以找到根本原因。
The configure-sso
NPM package can help setting things up correctly for your sample add-in. configure-sso
NPM package 可以帮助正确设置示例加载项。 See Single sign-on (SSO) quick start for a guide.有关指南,请参阅单点登录 (SSO) 快速入门。
I tried to reproduce the same in my environment and got below results:我试图在我的环境中重现相同的结果并得到以下结果:
I ran the below commands to create My Office Add-in
for Excel using JavaScript and Single-sign-on by selecting required options:我运行了以下命令,通过选择所需选项,使用 JavaScript 和单点登录为Excel创建
My Office Add-in
:
npm install -g yo generator-office
yo office
Response:回复:
Now I ran npm run configure-sso
that took me to browser where I picked one user credentials:现在我运行
npm run configure-sso
将我带到浏览器,我在其中选择了一个用户凭据:
Once the login is successful, I got output saying new application is registered successfully in Azure AD and updated source files automatically like below:登录成功后,我得到 output 说新应用程序已在 Azure AD 中成功注册并自动更新源文件,如下所示:
When I checked the same in Portal, Azure AD application is registered successfully with below details:当我在门户中检查相同内容时,Azure AD 应用程序已成功注册,详情如下:
I have below API permissions added to the application automatically like below:我将以下API 权限自动添加到应用程序中,如下所示:
When I checked Expose an API
tab, it added below details like App ID URI, scopes etc...当我检查
Expose an API
选项卡时,它在下面添加了详细信息,例如 App ID URI、范围等...
I have below Redirect URIs added to my application:我在我的应用程序中添加了以下重定向 URI :
When I ran npm start
command, it asked to install certificate initially like below:当我运行
npm start
命令时,它最初要求安装证书,如下所示:
This opened Excel with My Office Add-in
where I got consent screen like below:这使用
My Office Add-in
其中获得了如下所示的同意屏幕:
After consenting to the permissions, I got the user profile details successfully like below:同意权限后,我成功获得了用户个人资料详细信息,如下所示:
In your case, make sure to have one Azure account with active Azure subscriptions and assign Global administrator
role to the test user account on that tenant, which is required to consent the permissions.在您的情况下,请确保拥有一个 Azure 帐户和有效的 Azure 订阅,并将
Global administrator
角色分配给该租户的测试用户帐户,这是同意权限所必需的。
If you don't have active Azure accounts, get Free Trial subscription by clicking Start free
button in this link .如果您没有有效的 Azure 帐户,请单击此链接中的
Start free
按钮获取免费试用订阅。
Now, repeat the whole process by configuring the add-in again with this user credentials .现在,通过使用此用户凭据再次配置加载项来重复整个过程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.