我想要具有多个范围的访问令牌,包括 http
[英]I want access tokens with multiple scopes including http
问题描述
·Task 
·任务
I want to include multiple scopes and allow access for those scopes with the same access token.我想包括多个范围并允许使用相同的访问令牌访问这些范围。 I have configured Azure Active Directory as per the attached image.我已经按照附图配置了 Azure Active Directory。 This condition was specified as follows, and an access token was issued with multiple scopes included.此条件指定如下,并发布了包含多个范围的访问令牌。
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --data-urlencode "client_id=<client_id>" --data-urlencode "client_secret=<client_secret>" --data-urlencode "username=testuser@thoughtspot.com" --data-urlencode "password=*****" --data-urlencode "grant_type=password" --data-urlencode "scope=https://<application_id>/session:role-any email openid profile" https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
当我在以下站点上可视化发布的访问令牌时,只有 session:role-any 包含在访问令牌中。
https://jwt.ms/
https://jwt.ms/
By the way, when I included only the email openid profile in the scope, the email openid profile was included in the access token.
顺便说一句,当我在 scope 中仅包含 email openid 配置文件时,email openid 配置文件包含在访问令牌中。
·question ·问题
How can I include multiple (session:role-any email openid profile) tokens above in the access token?如何在访问令牌中包含上面的多个 (session:role-any email openid profile) 令牌? Also, is this even possible?另外,这甚至可能吗?
·Reference site ·参考网站
https://docs.thoughtspot.com/cloud/latest/connections-snowflake-azure-ad-oauth https://docs.thoughtspot.com/cloud/latest/connections-snowflake-azure-ad-oauth
I may be wrong.我可能是错的。 If so, please let me know the correct way of thinking.如果是这样,请告诉我正确的思维方式。
1 个解决方案
解决方案1
1 2023-01-30 09:28:45
I tried to reproduce the same in my environment and got the results like below:我尝试在我的环境中重现相同的内容并得到如下结果:
I agree with junnas , access token does not work with multiple scopes.
I generated the access token for two scopes like below:我为如下两个范围生成了访问令牌:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
username:admin@xxxx.onmicrosoft.com
password:*****
grant_type:password
scope:api://*****/app.test email openid profile
Note that: If you are passing two scopes, then it will consider only the first scope while generating the access token.
The decoded access token shows only the API scope like below:解码后的访问令牌仅显示 API scope,如下所示:
The aud doesn't include Microsoft Graph scope and hence doesn't authorize Graph calls. aud不包括 Microsoft Graph scope,因此不授权 Graph 调用。
So, make sure to generate two access tokens separately, one for API scope and another for Graph scope.因此,请确保分别生成两个访问令牌,一个用于 API scope,另一个用于 Graph scope。
I tried to generate the access token for the Microsoft Graph scope like below:我尝试为Microsoft Graph scope生成访问令牌,如下所示:
The decoded token contains Microsoft Graph scope and audience like below:解码后的令牌包含 Microsoft Graph scope 和如下受众:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.