'AADSTS70000：傳輸數據解析器失敗：授權碼格式錯誤或無效

Question

使用Microsoft帳戶驗證用戶身份時遇到麻煩。 我正在使用OpenId Connect身份驗證，但是當我調用AcquireTokenByAuthorizationCodeAsync方法時，會收到以下消息。

引發異常：System.Private.CoreLib.dll中的'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException'：'AADSTS70000：傳輸數據解析器失敗：授權代碼格式錯誤或無效。

auth選項如下：

services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

        }).AddOpenIdConnect(openIdOptions => 
        {
            openIdOptions.ResponseType = OpenIdConnectResponseType.CodeIdToken;
            openIdOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            openIdOptions.Authority = String.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}{1}", "common", "/v2.0");
            openIdOptions.ClientId = Configuration["MicrosoftAuth:ClientId"];
            openIdOptions.ClientSecret = Configuration["MicrosoftAuth:ClientSecret"];
            openIdOptions.SaveTokens = true;
            openIdOptions.TokenValidationParameters = new TokenValidationParameters{
                ValidateIssuer = false
            };
            var scopes = Configuration["MicrosoftAuth:Scopes"].Split(' ');
                foreach (string scope in scopes){
                    openIdOptions.Scope.Add(scope);
            }
            openIdOptions.Events = new OpenIdConnectEvents{
                OnAuthorizationCodeReceived = async (context) =>
                {   
                    var code = context.ProtocolMessage.Code;
                    var identifier = context.Principal.Claims.First(item => item.Type == ObjectIdentifierType).Value;
                    IMemoryCache memoryCache = context.HttpContext.RequestServices.GetRequiredService<IMemoryCache>();
                    var result = await GetTokenByAuthorizationCodeAsync(identifier, code, memoryCache);
                    context.HandleCodeRedemption(result.AccessToken, result.IdToken);
                },
            };
        });

這就是我的GetTokenByAuthorizationCodeAsync的樣子（我知道它並不漂亮，只是試圖使其工作）：

public async Task<AuthenticationResult> GetTokenByAuthorizationCodeAsync(string userId, string code, IMemoryCache memoryCache)
    {
        TokenCache userTokenCache = new SessionTokenCache(userId, memoryCache).GetCacheInstance();
        try
        {
            AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/common/oauth2/v2.0/token/", userTokenCache);
            ClientCredential credential = new ClientCredential(Configuration["MicrosoftAuth:ClientId"], Configuration["MicrosoftAuth:ClientSecret"]);
            string[] scope = new List<String>().Append("https://graph.windows.net").ToArray();
            AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code,new Uri(Configuration["MicrosoftAuth:RedirectUri"]), credential, Configuration["MicrosoftAuth:ResourceId"]);
            return result;
        }
        catch (Exception)
        {
            return null;
        }
    }

我不知道是什么原因引起的錯誤。 如果我發送郵遞員請求，則可以使用授權碼，但仍無法在該請求中添加資源ID。

我已經在Microsoft的應用程序注冊門戶（ https://apps.dev.microsoft.com/ ）中注冊了該應用程序。

Answer 1

您正在使用Microsoft.IdentityModel.Clients.ActiveDirectory庫獲取訪問令牌。 該庫用於Azure AD應用程序，該應用程序在Azure門戶而不是Azure AD v2.0終結點上注冊。

要獲取Azure AD V2.0應用程序的令牌，我們可以使用MSAL庫。 這是代碼示例供您參考：

OnAuthorizationCodeReceived = async (context) =>
{
    var code = context.ProtocolMessage.Code;
    ConfidentialClientApplication cca =
        new ConfidentialClientApplication(Configuration["AzureAD:ClientId"], Configuration["AzureAd:PostLogoutRedirectUri"]+ "signin-oidc", new ClientCredential(Configuration["AzureAD:Secret"]), null, null);
    var result =await cca.AcquireTokenByAuthorizationCodeAsync(code,new string[]{"user.read"});
    context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}