使用 Microsoft Graph 的增量 OAuth 同意 api
Incremental OAuth consent with Microsoft Graph api
我们在 Azure AD 中有一个使用 Microsoft Graph API 的应用程序。该应用程序使用 4 个基本权限成功运行:电子邮件、个人资料 User.Read User.ReadBasic.All
这些权限允许普通用户(非管理员)OAuth 验证我们的应用程序。
我们现在正在为管理员用户构建一项功能,让他们可以查看自己的群组。组范围需要管理员同意,如下所示:http://graph.microsoft.io/en-us/docs/authorization/permission_scopes
棘手的一点是,如果我在 Azure AD 的委派权限下添加 Group.Read.All 权限,这会导致普通用户能够登录并出现可怕的错误 "AADSTS90093: Calling principal cannot consent due to lack of permissions".
我曾尝试手动制作明确请求范围的 OAuth 授权 url,但这也不起作用。这是我使用的示例 url:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fl.xxxxxx.com%3A50000%2Fauth%2Fmicrosoft_graph%2Fcallback&client_id=xxxxxx-xxx-xxx-xxx-xxxx&scope=https%3A%2F%2Fgraph.microsoft.com%2Femail%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All
我如何要求所有用户获得基本权限,但让管理员稍后在应用程序中请求额外权限?
我已经查看过的一些资源无济于事:
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth
Switching between web and touch interfaces on Facebook login using Omniauth and Rails 3
https://github.com/zquestz/omniauth-google-oauth2/issues/143
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
Azure AD V2.0 端点已经支持增量和动态同意。您可以注册该应用程序以使用 here.
中的 Azure AD V2.0 身份验证端点
我们可以提供普通用户和admin登录两个按钮,以下是普通用户使用V2.0端点登录的步骤,供大家参考:
1.sign 并获取 OAuth 代码:
GET: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&response_type=code+id_token&&redirect_uri={redirectUri}&nonce=678910
2.Request 用于访问令牌
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read
&code={codeFromPreviousRequest}&redirect_uri={RedirectUri}&grant_type=authorization_code&client_secret={client_secret}
为了让管理员登录,我们只需添加带有上述请求的附加范围。以下是有关此主题的一些有用文章:
What's different about the v2.0 endpoint?
v2.0 Protocols - OpenID Connect
v2.0 Protocols - OAuth 2.0 Authorization Code Flow
我们在 Azure AD 中有一个使用 Microsoft Graph API 的应用程序。该应用程序使用 4 个基本权限成功运行:电子邮件、个人资料 User.Read User.ReadBasic.All
这些权限允许普通用户(非管理员)OAuth 验证我们的应用程序。
我们现在正在为管理员用户构建一项功能,让他们可以查看自己的群组。组范围需要管理员同意,如下所示:http://graph.microsoft.io/en-us/docs/authorization/permission_scopes
棘手的一点是,如果我在 Azure AD 的委派权限下添加 Group.Read.All 权限,这会导致普通用户能够登录并出现可怕的错误 "AADSTS90093: Calling principal cannot consent due to lack of permissions".
我曾尝试手动制作明确请求范围的 OAuth 授权 url,但这也不起作用。这是我使用的示例 url:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fl.xxxxxx.com%3A50000%2Fauth%2Fmicrosoft_graph%2Fcallback&client_id=xxxxxx-xxx-xxx-xxx-xxxx&scope=https%3A%2F%2Fgraph.microsoft.com%2Femail%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All
我如何要求所有用户获得基本权限,但让管理员稍后在应用程序中请求额外权限?
我已经查看过的一些资源无济于事:
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth
Switching between web and touch interfaces on Facebook login using Omniauth and Rails 3
https://github.com/zquestz/omniauth-google-oauth2/issues/143
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
Azure AD V2.0 端点已经支持增量和动态同意。您可以注册该应用程序以使用 here.
中的 Azure AD V2.0 身份验证端点我们可以提供普通用户和admin登录两个按钮,以下是普通用户使用V2.0端点登录的步骤,供大家参考:
1.sign 并获取 OAuth 代码:
GET: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&response_type=code+id_token&&redirect_uri={redirectUri}&nonce=678910
2.Request 用于访问令牌
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read
&code={codeFromPreviousRequest}&redirect_uri={RedirectUri}&grant_type=authorization_code&client_secret={client_secret}
为了让管理员登录,我们只需添加带有上述请求的附加范围。以下是有关此主题的一些有用文章:
What's different about the v2.0 endpoint?
v2.0 Protocols - OpenID Connect v2.0 Protocols - OAuth 2.0 Authorization Code Flow