Microsoft Graph：如何在客戶端憑據流中使用證書獲取訪問令牌？ （而不是使用 client_secret）

Question

目標

我想使用證書而不是針對 Microsoft Graph 的客戶端密碼對我的守護程序應用程序進行身份驗證，並希望了解成功進行身份驗證所需的確切請求。

使用以下資源：

• https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate
• https://docs.microsoft.com/en-us/graph/auth-v2-service
• https://laurakokkarinen.com/authenticating-to-office-365-apis-with-a-certificate-step-by-step/
• https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-OAPX/%5BMS-OAPX%5D.pdf

您的應用程序的 Azure AD 配置是否有錯誤？

所有 Azure AD 配置均事先使用client-secret進行了測試。 證書公鑰也是事先上傳的：

請求和問題

我設法創建了這個請求（租戶 ID、客戶端 ID、證書只是假人）

價值觀：

grant_type : urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion_type ： logon_cert
client_id ： my-client-id-from-azure
scope : https://graph.microsoft.com/.default
client_assertion : JWT 包含

• Header：（x5t包含上傳證書的base64編碼證書sha1指紋，見上圖）

   { "typ": "JWT", "x5t": "QUY4RjBERERGMDBBOURGRUQ0MzkzODRGQTYzMjhFQ0FBRDNBOEUzNw", "alg": "RS256" }

• 有效載荷：

   { "iss": "my-client-id-from-azure", "sub": "my-client-id-from-azure", "scope": "https://graph.microsoft.com/.default", "aud": "https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token", "iat": 1625591612, "nbf": 1625591612, "exp": 1625595212, "jti": "some-dynamically-generated-uuid" }

要求：

POST https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJ0eXAiOiJKV1QiLCJ4NXQiOiJSRFUwTUVRd016RkdOakpGTUVOQk5UaEVPVFpGTXpBNFFrRkZNMFUzTmpFd01USkVPRFUwUWc9PSIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJteS1jbGllbnQtaWQtZnJvbS1henVyZSIsInNjb3BlIjoiaHR0cHM6Ly9ncmFwaC5taWNyb3NvZnQuY29tLy5kZWZhdWx0IiwiYXVkIjoiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL215LXRlbmFudC1pZC9vYXV0aDIvdjIuMC90b2tlbiIsImlhdCI6MTYyNTY2MDU3MywibmJmIjoxNjI1NjYwNTczLCJzdWIiOiJteS1jbGllbnQtaWQtZnJvbS1henVyZSIsImp0aSI6IjlhZTQwYTk2LTliMTgtNDRhOS1hOWM3LWE3NDZjMjA4OGUxMyIsImV4cCI6MTYyNTY2NDE3M30.pw81FeQirjIsnXGlLSLDG5Cz4rIdOuF54M8fPmDlubNs0-DoHpkj9OdrCXlCPDWvQLaYAs3mH9kcSP-Z4rf-NgaiCF-ECL-iA2xxvQ3n8JSDeaPPkLd6tMAKeMm5sEIcap7RJ8Fnt1kCflVAOIuYCh_zijJd9etQj-2wfbtiHnHtlpg6n0-4u7oj9wAx2naIU6J4dtgdIPypBTfwxyXtZWy0nkM8jde6Jr7CqVVlECdf7wyGwN1Jhwf6PeihKn8peQKaXzVnMmLpcCmjNENnTRM5PmhEQkCGOOR4hMJkdfCONWmOtSoRlndhCQypBQM-fzl_-sDviXNjAYKvrYTUM-kwZZBqKyzdekqMnxxwnaKmF1uGVnrSjad_AfW0A9Vg9UpaqGvsbe8Doq15I7KE46kzd4y3fDoibDQG-qaYL8LYKcrVUDkTw_PNfiyihlcaGjBvHVaMBsYhJJlNnohktO0OES0WO0iUlj_M0PuOF7JxYsPAQZM5uZGPTRCQhen_8khQ8z70C2YYz965kCROL9-WC53Ezbt1R0QjHR4UupV3CtQfZe_BkTG8vYu7SMWbxDEGZKb6cRsTCgzqmd6l3f6OGojQA_EAvFJpL0kw0d_tfYnY4ZkyLdcI3G3fMyhicm7qmkiq7ZRdnGL2uCl-tpxsoLD7UbvVPD3CS_LNAp4&client_id=my-client-id-from-azure&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials

回復：

我期待一個訪問令牌，相反，我得到一個401 Unauthorized聲明

{
  "error": "invalid_client",
  "error_description": "AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'some-other-thumbprint', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'my-app-id'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/my-app-id']\r\nTrace ID: some-uuid\r\nCorrelation ID: some-other-uuid\r\nTimestamp: 2021-07-07 12:25:46Z",
  "error_codes": [
    700027
  ],
  "timestamp": "2021-07-06 12:25:46Z",
  "trace_id": "some-uuid",
  "correlation_id": "some-other-uuid",
  "error_uri": "https://login.microsoftonline.com/error?code=700027"
}

我不知道問題可能是什么。

問題：

我究竟做錯了什么？

Answer 1

所以問題來自於創建x5t header 的方式。

在編碼base64之前，我誤解了在 state 指紋作為hex的文檔：

對於像這樣的指紋204C837E10143C1428D7911CB60ED0075C3E1062 ，字符串需要被視為 HEX 二進制文件，而不是簡單的字符串。

示例（PHP）：

偽代碼：

// load certificate
certificate = load_file('/path/to/cert.pem')
// fingerprint is hex string 204C837E10143C1428D7911CB60ED0075C3E1062
certificate_fingerprint_hex_string = x509fingerprint($certificate)

// hexademical string is being converted to binary format
certificate_fingerprint_binary = hex_to_binary(certificate_fingerprint_hex_string)

// binary format gets base64 encoded (not base64url) to IEyDfhAUPBQo15Ectg7QB1w+EGI=
x5t = base64_encode(certificate_fingerprint_binary)

請求（文檔）

Method和headers

POST https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

正文（尚未根據 Content-Type 格式化）

• client_id ： my-client-id-from-azure
• client_assertion_type : urn:ietf:params:oauth:client-assertion-type:jwt- bearer
• client_assertion ：見下面JWT 點擊這里了解詳情
• grant_type : client_credentials
• scope : https://graph.microsoft.com/.default

client_assertion

• Header：（ x5t包含上傳證書的base64編碼證書sha1指紋，見上圖）

   { "typ": "JWT", "x5t": "IEyDfhAUPBQo15Ectg7QB1w+EGI=", "alg": "RS256" }

• 有效載荷：

   { "iss": "my-client-id-from-azure", "sub": "my-client-id-from-azure", "scope": "https://graph.microsoft.com/.default", "aud": "https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token", "iat": 1625591612, "nbf": 1625591612, "exp": 1625595212, "jti": "some-dynamically-generated-uuid" }

Answer 2

根據一些搜索，這里我如何創建 JWT 令牌來請求 accessToken：

需要 package

composer required firebase/php-jwt ramsey/uuid guzzlehttp/guzzle

php 代碼

<?php
use Firebase\JWT\JWT;
use Ramsey\Uuid\Uuid;

require_once (__DIR__.'/vendor/autoload.php');

$guzzle = new \GuzzleHttp\Client();
$authTenant = '';
$clientID = '';
$certPubFile = '';
$certPrivFile = '';

$url = 'https://login.microsoftonline.com/' . $authTenant . '/oauth2/v2.0/token';

$cert = openssl_x509_read(file_get_contents($certPubFile));
$sha1_hash = openssl_x509_fingerprint($cert); // sha1 hash (x5t parameter)
$jwt =  JWT::encode([
    'aud' => 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
    'exp' => (new DateTime())->add(new DateInterval('PT150S'))->format('U'),
    'nbf' => time() - 1,
    'iss' => clientID,
    'sub' => clientID,
    'jti' => Uuid::uuid4(),
],
file_get_contents($certPrivFile),
'RS256',
null,
[
    "alg" => "RS256",
    "typ" => "JWT",
    "x5t" => base64_encode(pack('H*', $sha1_hash)),
]
);
$authFormParameters = [
    'client_id' => clientID,
    'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
    'client_assertion' => $jwt,
    'scope' => 'https://graph.microsoft.com/.default',
    'grant_type' => 'client_credentials',
];

$token = json_decode($guzzle->post($url, [
'form_params' => $authFormParameters,
])->getBody()->getContents());
$accessToken = $token->access_token;