为什么通过refresh token获取Azure AD token没有签名算法?
Why does acquiring an Azure AD token by refresh token have no signing algorithm?
当我通过授权码 (authContext.acquireTokenByAuthorizationCode) 获得令牌时,我得到一个已签名并具有正确 headers:
的 JWT (idToken)
{
"typ": "JWT",
"alg": "RS256",
"x5t": "wLLmYfsqdQuWtV_-hnVtDJJZM3Q",
"kid": "wLLmYfsqdQuWtV_-hnVtDJJZM3Q"
}
但是当我使用刷新令牌获取新令牌 (authContext.acquireTokenByRefreshToken(...)) 时,它 returns 一个未签名的 JWT:
{
"typ": "JWT",
"alg": "none"
}
我怎样才能得到一个签名的 JWT?
return authContext.acquireTokenByRefreshToken(
refreshToken,
new ClientCredentials(
clientId,
clientSecret
),
null
);
我没有在我这边重现你的问题。我按照此 tutorial 获得 Authentication code 并使用以下代码成功获取 access token 和 refresh token 。请参考。
import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import com.microsoft.aad.adal4j.ClientCredential;
import java.net.URI;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
public class GetTokenByAuthenticationCode {
private static final String APP_ID = "***";
private static final String APP_SECRET = "***";
private static final String REDIRECT_URI = "http://localhost:8080";
private static final String tenant = "***";
public static void main(String[] args) throws Exception {
String authority = "https://login.microsoftonline.com/" + tenant + "/oauth2/authorize";
ExecutorService service = Executors.newFixedThreadPool(1);
String code = "***";
AuthenticationContext context = new AuthenticationContext(authority, true, service);
URI url = new URI(REDIRECT_URI);
Future<AuthenticationResult> result = context.acquireTokenByAuthorizationCode(
code,
url,
new ClientCredential(APP_ID, APP_SECRET),
null
);
String token = result.get().getAccessToken();
System.out.println(token);
String refreshToken = result.get().getRefreshToken();
System.out.println(refreshToken);
Future<AuthenticationResult> result1 = context.acquireTokenByRefreshToken(
refreshToken,
new ClientCredential(APP_ID, APP_SECRET),
null
);
String tokenNew = result1.get().getAccessToken();
String refreshTokenNew = result1.get().getRefreshToken();
System.out.println(tokenNew);
System.out.println(refreshTokenNew);
}
}
解码:
更新答案:
首先,对于错误,我们深表歉意。我把getIdToken换成了getAccessToken,结果和you.Then一样 我在Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow中搜索响应参数,可以找到id_token参数的语句。
An unsigned JSON Web Token (JWT) representing an ID token. The app can
base64Url decode the segments of this token to request information
about the user who signed in. The app can cache the values and display
them, but it should not rely on them for any authorization or security
boundaries.
因此,id 令牌只是一个不能依赖的段。如果想获取完整的id token,请参考openId flow。
当我通过授权码 (authContext.acquireTokenByAuthorizationCode) 获得令牌时,我得到一个已签名并具有正确 headers:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "wLLmYfsqdQuWtV_-hnVtDJJZM3Q",
"kid": "wLLmYfsqdQuWtV_-hnVtDJJZM3Q"
}
但是当我使用刷新令牌获取新令牌 (authContext.acquireTokenByRefreshToken(...)) 时,它 returns 一个未签名的 JWT:
{
"typ": "JWT",
"alg": "none"
}
我怎样才能得到一个签名的 JWT?
return authContext.acquireTokenByRefreshToken(
refreshToken,
new ClientCredentials(
clientId,
clientSecret
),
null
);
我没有在我这边重现你的问题。我按照此 tutorial 获得 Authentication code 并使用以下代码成功获取 access token 和 refresh token 。请参考。
import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import com.microsoft.aad.adal4j.ClientCredential;
import java.net.URI;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
public class GetTokenByAuthenticationCode {
private static final String APP_ID = "***";
private static final String APP_SECRET = "***";
private static final String REDIRECT_URI = "http://localhost:8080";
private static final String tenant = "***";
public static void main(String[] args) throws Exception {
String authority = "https://login.microsoftonline.com/" + tenant + "/oauth2/authorize";
ExecutorService service = Executors.newFixedThreadPool(1);
String code = "***";
AuthenticationContext context = new AuthenticationContext(authority, true, service);
URI url = new URI(REDIRECT_URI);
Future<AuthenticationResult> result = context.acquireTokenByAuthorizationCode(
code,
url,
new ClientCredential(APP_ID, APP_SECRET),
null
);
String token = result.get().getAccessToken();
System.out.println(token);
String refreshToken = result.get().getRefreshToken();
System.out.println(refreshToken);
Future<AuthenticationResult> result1 = context.acquireTokenByRefreshToken(
refreshToken,
new ClientCredential(APP_ID, APP_SECRET),
null
);
String tokenNew = result1.get().getAccessToken();
String refreshTokenNew = result1.get().getRefreshToken();
System.out.println(tokenNew);
System.out.println(refreshTokenNew);
}
}
解码:
更新答案:
首先,对于错误,我们深表歉意。我把getIdToken换成了getAccessToken,结果和you.Then一样 我在Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow中搜索响应参数,可以找到id_token参数的语句。
An unsigned JSON Web Token (JWT) representing an ID token. The app can base64Url decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries.
因此,id 令牌只是一个不能依赖的段。如果想获取完整的id token,请参考openId flow。