请求访问令牌时的资源参数?
Resource parameter when requesting access token?
我正在关注 this guide 以使用 Microsoft Graph 进行身份验证。我能够成功执行第一个请求(获取授权码),但在处理第二个请求(请求访问令牌)时遇到问题。
第二个请求的参数(用于访问令牌):
client_id: <my id>
client_secret: <my secret>
code: <authorization code returned from first request>
redirect_uri: http://localhost:8080/Callback
grant_type: authorization_code
scope: https://graph.microsoft.com/user.read
第二个请求出错:
{
"error": "invalid_resource",
"error_description": "AADSTS50001: Resource identifier is not provided.\r\nTrace ID: <my trace id>\r\nCorrelation ID: <my correlation id>\r\nTimestamp: 2017-05-03 15:25:42Z",
"error_codes": [
50001
],
"timestamp": "2017-05-03 15:25:42Z",
"trace_id": <my trace id>,
"correlation_id": <my correlation id>
}
但是,如果我添加这个额外的参数,我的请求工作正常(returns 一个承载和刷新令牌):
resource: https://graph.microsoft.com/
除了 Getting an access 下的 example 之外,我没有在文档中的任何地方看到这个 resource 参数this page.
上的令牌
我的问题是:
- 当我的请求似乎与文档相符时,为什么会出现上述错误?
- 什么时候需要包含 resource 参数?
编辑:请参阅下面马克的回答和我的评论回复。
原来我使用的是以下网址:
https://login.microsoftonline.com/common/oauth2/authorize
https://login.microsoftonline.com/common/oauth2/token
我应该在什么时候使用:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
使用 v2.0 后,我不再需要在令牌请求中包含我的 resource 参数。
The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured.
根据https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes,
...The same is true for any third-party resources that have integrated with Azure AD. Any of these resources also can define a set of permissions that can be used to divide the functionality of that resource into smaller chunks.
然后
By defining these types of permissions, the resource has fine-grained control over its data and how the data is exposed. A third-party app can request these permissions from an app user. The app user must approve the permissions before the app can act on the user's behalf. By chunking the resource's functionality into smaller permission sets, third-party apps can be built to request only the specific permissions that they need to perform their function. App users can know exactly how an app will use their data, and they can be more confident that the app is not behaving with malicious intent.
所以,回答 1) 我认为您只需要在应用程序的 Azure AD 页面中指定 user.read 权限。要回答 2),您不会为第三方应用程序指定资源。
您提供的属性似乎正确,但格式不正确。要获得令牌,您需要发出 POST 此数据格式 application/x-www-form-urlencoded 到 https://login.microsoftonline.com/common/oauth2/v2.0/token。从您的示例来看,您发送的数据似乎是 JSON 而不是 x-www-form-urlencoded.
POST URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
POST HEADER: Content-Type: application/x-www-form-urlencoded
POST BODY: grant_type=authorization_code&code=[AUTHORIZATION CODE]&
client_id=[APPLICATION ID]&client_secret=[PASSWORD]
&scope=[SCOPE]&redirect_uri=[REDIRECT URI]
我在几个月前写了一篇 Microsoft v2 Endpoint Primer,可能有助于引导您完成整个过程。
我正在关注 this guide 以使用 Microsoft Graph 进行身份验证。我能够成功执行第一个请求(获取授权码),但在处理第二个请求(请求访问令牌)时遇到问题。
第二个请求的参数(用于访问令牌):
client_id: <my id>
client_secret: <my secret>
code: <authorization code returned from first request>
redirect_uri: http://localhost:8080/Callback
grant_type: authorization_code
scope: https://graph.microsoft.com/user.read
第二个请求出错:
{
"error": "invalid_resource",
"error_description": "AADSTS50001: Resource identifier is not provided.\r\nTrace ID: <my trace id>\r\nCorrelation ID: <my correlation id>\r\nTimestamp: 2017-05-03 15:25:42Z",
"error_codes": [
50001
],
"timestamp": "2017-05-03 15:25:42Z",
"trace_id": <my trace id>,
"correlation_id": <my correlation id>
}
但是,如果我添加这个额外的参数,我的请求工作正常(returns 一个承载和刷新令牌):
resource: https://graph.microsoft.com/
除了 Getting an access 下的 example 之外,我没有在文档中的任何地方看到这个 resource 参数this page.
上的令牌我的问题是:
- 当我的请求似乎与文档相符时,为什么会出现上述错误?
- 什么时候需要包含 resource 参数?
编辑:请参阅下面马克的回答和我的评论回复。
原来我使用的是以下网址:
https://login.microsoftonline.com/common/oauth2/authorize
https://login.microsoftonline.com/common/oauth2/token
我应该在什么时候使用:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
使用 v2.0 后,我不再需要在令牌请求中包含我的 resource 参数。
The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured.
根据https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes,
...The same is true for any third-party resources that have integrated with Azure AD. Any of these resources also can define a set of permissions that can be used to divide the functionality of that resource into smaller chunks.
然后
By defining these types of permissions, the resource has fine-grained control over its data and how the data is exposed. A third-party app can request these permissions from an app user. The app user must approve the permissions before the app can act on the user's behalf. By chunking the resource's functionality into smaller permission sets, third-party apps can be built to request only the specific permissions that they need to perform their function. App users can know exactly how an app will use their data, and they can be more confident that the app is not behaving with malicious intent.
所以,回答 1) 我认为您只需要在应用程序的 Azure AD 页面中指定 user.read 权限。要回答 2),您不会为第三方应用程序指定资源。
您提供的属性似乎正确,但格式不正确。要获得令牌,您需要发出 POST 此数据格式 application/x-www-form-urlencoded 到 https://login.microsoftonline.com/common/oauth2/v2.0/token。从您的示例来看,您发送的数据似乎是 JSON 而不是 x-www-form-urlencoded.
POST URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
POST HEADER: Content-Type: application/x-www-form-urlencoded
POST BODY: grant_type=authorization_code&code=[AUTHORIZATION CODE]&
client_id=[APPLICATION ID]&client_secret=[PASSWORD]
&scope=[SCOPE]&redirect_uri=[REDIRECT URI]
我在几个月前写了一篇 Microsoft v2 Endpoint Primer,可能有助于引导您完成整个过程。