Azure AD OAuth2 访问令牌请求错误 - 400 错误请求
Azure AD OAuth2 Access Token Request Error - 400 Bad Request
我的 WPF 桌面应用程序 (C#) 正在尝试通过 Microsoft Graph API 读取用户的 Outlook 电子邮件。我被困在身份验证过程中;我已经收到了一个身份验证代码,现在我正在尝试从 Azure 获取访问令牌,但在发送 访问令牌 请求时不断收到 HTTP 400 错误代码:
/**** Auth Code Retrieval ****/
string authCodeUrl = "https://login.microsoftonline.com/common/oauth2/authorize";
authCodeUrl += "?client_id" = clientId;
authCodeUrl += "&redirect_uri=" + redirectUri;
authCodeUrl += "&response_type=code";
authCodeUrl += "&resource=https%3A%2F%2Fgraph.microsoft.com%2F";
Process.start(authUrl); // User logs in, we get the auth code after login
string code = "......"; // Hidden for this post
/**** Access Token Retrieval ****/
string tokenUrl = "https://login.microsoftonline.com/common/oauth2/token"
string content = "grant_type=authorization_code";
content += "&client_id=" + clientId;
content += "&resource=https%3A%2F%2Fgraph.microsoft.com%2F";
content += "&code=" + code;
content += "&redirect_uri=" + redirectUri;
WebRequest request = WebRequest.Create(tokenUrl);
request.ContentType = "application/x-www-form-urlencoded";
byte[] data = Encoding.UTF8.GetBytes(content);
request.ContentLength = data.Length;
request.Method = "POST";
try
{
using (Stream stream = request.GetRequestStream())
{
stream.Write(data, 0, data.Length);
}
WebResponse response = request.GetResponse(); // This throws exception
}
catch (Exception error) // This catches the exception
{
Console.WriteLine(error.Message); // Outputs 400, bad request
}
以上是用于检索授权码的代码,然后尝试检索访问令牌。我们没有 client_secret,因为机密仅适用于 Web 应用程序,而且这是本机桌面 WPF 应用程序。我读过这不是问题。我在网上看了很多教程和官方文档,主要是the official Graph authorization doc,但我仍然无法弄清楚我做错了什么。任何帮助将不胜感激,谢谢。
如果您不使用客户端密码,则需要配置您的租户以支持隐式授权流。您可以按照 this 博客 post 中的说明执行/验证配置。这需要使用 Azure 管理门户下载、修改和上传应用程序清单。
或者,可能更好的策略是将您的代码切换为使用 converged v2.0 authentication endpoints. It allows management of your application using the new app registration portal and nicely supports implicit flow and dynamic scopes. You can find more information about the actual authentication flow here。它与您现在所做的相差不远,只需要一些小的调整。
如果在此之后您仍然遇到问题,请再次联系我们。提琴手/网络跟踪将非常有帮助。此外,异常中的详细消息也将非常有帮助。
我用了fiddler to debug the request and I found the full error message: The user or administrator has not consented to use the application. I googled this message for a bit and found some stack articles and github issue threads that lead me to the solution: my request had been using "common", in the base URL, as the tenant ID when actually I needed to use my Azure tenant ID which I acquired through this answer on stack。我的身份验证请求的新基础 URL 现在看起来像:
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize
其中 "xxxx-....xxx" 将替换为您的 Azure 租户 ID!
我的 WPF 桌面应用程序 (C#) 正在尝试通过 Microsoft Graph API 读取用户的 Outlook 电子邮件。我被困在身份验证过程中;我已经收到了一个身份验证代码,现在我正在尝试从 Azure 获取访问令牌,但在发送 访问令牌 请求时不断收到 HTTP 400 错误代码:
/**** Auth Code Retrieval ****/
string authCodeUrl = "https://login.microsoftonline.com/common/oauth2/authorize";
authCodeUrl += "?client_id" = clientId;
authCodeUrl += "&redirect_uri=" + redirectUri;
authCodeUrl += "&response_type=code";
authCodeUrl += "&resource=https%3A%2F%2Fgraph.microsoft.com%2F";
Process.start(authUrl); // User logs in, we get the auth code after login
string code = "......"; // Hidden for this post
/**** Access Token Retrieval ****/
string tokenUrl = "https://login.microsoftonline.com/common/oauth2/token"
string content = "grant_type=authorization_code";
content += "&client_id=" + clientId;
content += "&resource=https%3A%2F%2Fgraph.microsoft.com%2F";
content += "&code=" + code;
content += "&redirect_uri=" + redirectUri;
WebRequest request = WebRequest.Create(tokenUrl);
request.ContentType = "application/x-www-form-urlencoded";
byte[] data = Encoding.UTF8.GetBytes(content);
request.ContentLength = data.Length;
request.Method = "POST";
try
{
using (Stream stream = request.GetRequestStream())
{
stream.Write(data, 0, data.Length);
}
WebResponse response = request.GetResponse(); // This throws exception
}
catch (Exception error) // This catches the exception
{
Console.WriteLine(error.Message); // Outputs 400, bad request
}
以上是用于检索授权码的代码,然后尝试检索访问令牌。我们没有 client_secret,因为机密仅适用于 Web 应用程序,而且这是本机桌面 WPF 应用程序。我读过这不是问题。我在网上看了很多教程和官方文档,主要是the official Graph authorization doc,但我仍然无法弄清楚我做错了什么。任何帮助将不胜感激,谢谢。
如果您不使用客户端密码,则需要配置您的租户以支持隐式授权流。您可以按照 this 博客 post 中的说明执行/验证配置。这需要使用 Azure 管理门户下载、修改和上传应用程序清单。
或者,可能更好的策略是将您的代码切换为使用 converged v2.0 authentication endpoints. It allows management of your application using the new app registration portal and nicely supports implicit flow and dynamic scopes. You can find more information about the actual authentication flow here。它与您现在所做的相差不远,只需要一些小的调整。
如果在此之后您仍然遇到问题,请再次联系我们。提琴手/网络跟踪将非常有帮助。此外,异常中的详细消息也将非常有帮助。
我用了fiddler to debug the request and I found the full error message: The user or administrator has not consented to use the application. I googled this message for a bit and found some stack articles and github issue threads that lead me to the solution: my request had been using "common", in the base URL, as the tenant ID when actually I needed to use my Azure tenant ID which I acquired through this answer on stack。我的身份验证请求的新基础 URL 现在看起来像:
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize
其中 "xxxx-....xxx" 将替换为您的 Azure 租户 ID!