使用“azure/msal-browser”reactjs 包时出现错误“AADSTS50194：应用程序 'xxxxxxxx' 未配置为多租户应用程序”

Question

我有一个 SPA 应用程序正在尝试使用“azure/msal-browser”reactjs 包登录到 Azure AD。

该应用设置为在 Azure 应用注册时使用单租户身份验证。 authConfig.js文件也设置为使用单租户身份验证，但我不断收到错误消息：

AADSTS50194: Application 'xxxxxxxx' is not configured as a multi-tenant application

我发现了类似的帖子，但都指向了我已经做过的设置权限参数。

我试图实现的场景是带有页面重定向的静默登录。 这是我基于我的实现的官方示例。

这里是重新创建的步骤：

1. 安装 msal 浏览器

2. 根据您的应用注册配置 AuthConfig.js 文件：

    const msalConfig = { auth: { clientId: "Application (client) ID", authority: "https://login.microsoftonline.com/<Directory (tenant) ID>/", redirectUri: "<app url(must be a allowed URL redirect for SPA application type)>" }, ... export const loginRequest = { scopes: ["openid", "User.Read"] };

3. 以及获取令牌的代码：

    import { PublicClientApplication } from "@azure/msal-browser"; import { loginRequest} from "../../authConfig"; // this is my simplified version of the method `getTokenRedirect` present in the sample. export const acquireIdToken = async (msalInstanceParam) => { const msalInstance = new PublicClientApplication(loginRequest); const activeAccount = msalInstance.getActiveAccount(); const accounts = msalInstance.getAllAccounts(); const request = { scopes: ["User.Read"], account: activeAccount || accounts[0] }; const authResult = await msalInstance.acquireTokenSilent(request);//throws http code 400 error with message 'AADSTS50194 ...' return authResult.idToken };

有趣的是，我能够成功登录，被重定向到 SPA 应用程序，获取令牌，从令牌中检索用户名，但由于某种原因，该应用程序调用https://login.microsoftonline.com/common /oauth2/v2.0/token我在控制台中收到此错误。

有什么线索吗？

浏览器日志（更新）：

[HMR] Waiting for update signal from WDS...
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - useAccount - Updating account
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-browser@2.22.1 : Info - Emitting event: msal:handleRedirectStart
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - MsalProvider - msal:handleRedirectStart results in setting inProgress from startup to handleRedirect
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : [78728aa2-9ecd-4399-994a-4d8ab8801b13] : msal.js.browser@2.22.1 : Info - handleRedirectPromise called but there is no interaction in progress, returning null.
RequestInterceptor.tsx:27 Wrapped Fetch started for resource planning
GetToken.js:22 acquire token ...
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - useAccount - Updating account
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-browser@2.22.1 : Info - Emitting event: msal:handleRedirectEnd
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - MsalProvider - msal:handleRedirectEnd results in setting inProgress from handleRedirect to none
RequestInterceptor.tsx:27 Wrapped Fetch started for resource https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - useAccount - Updating account
RequestInterceptor.tsx:27 Wrapped Fetch started for resource https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
RequestInterceptor.tsx:27 Wrapped Fetch started for resource https://login.microsoftonline.com/common/oauth2/v2.0/token
RequestInterceptor.tsx:33
RequestInterceptor.tsx:33          POST https://login.microsoftonline.com/common/oauth2/v2.0/token 400 (Bad Request)

显然，通过检查日志，端点发现提供了覆盖设置的权限 URL：

https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Answer 1

首先，权限需要针对organizations （针对工作或学生帐户）或common （针对所有上述加上个人帐户）端点，而不是特定于租户。 例如

{
  authority: "https://login.microsoftonline.com/organizations/", 
  //  authority: "https://login.microsoftonline.com/common/", 
}

最后，您需要将您的应用注册配置为多租户。 更新其应用清单并确保signInAudience设置为AzureADMultipleOrgs或AzureADandPersonalMicrosoftAccount 。 后者需要accessTokenAcceptedVersion设置为2 。

干杯!