stackoom
  简体   繁体   中英

IdentityServer3 Microsoft Graph scopes and flow

 原文  2016-12-14 16:40:07       c#/ azure/ azure-active-directory/ identityserver3/ microsoft-graph

Question

My solution has been working fine authenticating against Azure AD via IdentityServer3. Now we're trying to integrate some Microsoft Graph features. Sadly, it's failing miserably.

Running through one of the demo ( https://graph.microsoft.io/en-us/docs/get-started/aspnetmvc ) projects, the documentation details the registration of a new application at the Microsoft App Registration Portal ( https://apps.dev.microsoft.com ) and explicitly tell the application to allow implicit flow.

Make sure the Allow Implicit Flow check box is selected, and enter http://localhost:55065/ as the Redirect URI. The Allow Implicit Flow option enables the OpenID Connect hybrid flow. During authentication, this enables the app to receive both sign-in info (the id_token) and artifacts (in this case, an authorization code) that the app uses to obtain an access token.

Of course, we already have an application registered on our production portal of Azure that does our Authentication, and from our Client in IdentityServer3, we have the flows set as Flow = Flows.Implicit which would seem to indicate that we're now only allowing implicit flow, but expecting implicit flow.

When I add in the additional scopes - offline_access User.Read Mail.Send - I'm no longer able to successfully authenticate, instead, I'm receiving an error stating Invalid Scope .

My concern is that the "Microsoft App Registration Portal" is just different enough from real life, that something is not being set properly. There's no specific "Allow Implicit Flow" setting on production Azure App Registration, so is it really accepting Implicit Flow ?

Has anyone had any luck integrating these two systems and receiving the desired results of full utilization of Microsoft Graph from a single authentication against Azure AD utilizing IdentityServer3?

1 answers

solution1
 0  2016-12-14 20:16:29

Enabling the implicit grant flow in the Azure AD Registration portal requires adding "oauth2AllowImplicitFlow":true in your app manifest. The "Enabling OAuth 2.0 implicit grant for Single Page Applications" section of this document has detailed step-by-step directions on how to do that:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-integrating-applications

Additionally implicit grant flows will not give you a refresh token, the offline_access scope is specifically asking for a refresh token. I would suggest removing that scope.

Here's a good doc for more reading on the details of implicit grant on AAD:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-dev-understanding-oauth2-implicit-grant

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question identityserver3 openid configuration not showing all scopes How to switch from Hybrid flow to ResourceOwner flow with IdentityServer3 Using ASP.NET Role Authorisation with IdentityServer3 implicit flow ThinkTecture IdentityServer3 vs Microsoft.Owin.Security.OAuth2 How to include Microsoft graph in scopes? Identityserver4 with IdentityServer3 AccessTokenValidation IdentityServer3 and JWT ValidateIssuerSigningKey remote login identityserver3 IdentityServer3 - Exception handling setup IdentityServer3 in azure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM