JWT CSOM/REST Azure Active Directory
JWT CSOM/REST Azure Active Directory
我们一直在尝试使用带有令牌的 CSOM/REST 身份验证承载 header 请求向共享点发出请求。它与下面这个问题有关:
只有一种 link/example 有效,其他所有方法都无效,包括 android ADAL 方法。
https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/
它们似乎 return 不像一个令牌,当我们在 JWT 解析器中查看令牌时,我们可以看到 scp 值不同,失败的有 user_impersonate,但工作的有 AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write。 aud url 也不同,这是其中之一还是两者都有问题,我该如何让它工作?
这是失败的:
{
"aud": "https://srmukdev.onmicrosoft.com/3Squared-Api-Test",
"iss": "...",
"iat": ...,
"nbf": ...,
"exp": ..,
"acr": "...",
"aio": "...",
"amr": [
"pwd",
"mfa"
],
"appid": "...",
"appidacr": "0",
"e_exp": ...,
"family_name": "...",
"given_name": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"onprem_sid": "...",
"platf": "3",
"scp": "user_impersonation",
"sub": "...",
"tid": "...",
"unique_name": "...",
"upn": "...",
"ver": "1.0"
}
这是有效的:
{
"aud": "https://srmukdev.sharepoint.com/",
"iss": "...",
"iat": ...,
"nbf": ...,
"exp": ...,
"acr": "...",
"aio": "...",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "...",
"appid": "...",
"appidacr": "0",
"e_exp": ...,
"family_name": "...",
"given_name": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"onprem_sid": "...",
"platf": "3",
"puid": "...",
"scp": "AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write",
"sub": "...",
"tid": "...",
"unique_name": "...",
"upn": "...",
"ver": "1.0"
}
通过检查其 aud 声明,访问令牌针对特定资源。第一个令牌用于对您的自定义资源进行身份验证。
要获取特定资源的token,我们可以使用参数resource来指定我们要向哪个资源请求token。例如,如果我想获取 Microsoft Graph 资源的令牌,我们可以构造如下请求:
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd
如果您想获取https://srmukdev.sharepoint.com/的访问令牌,您需要根据您使用的流程在请求中为https://srmukdev.sharepoint.com/分配resource参数的值。
有关 Azure AD 支持获取访问令牌的流程的更多详细信息,您可以参考下面的link:
我们一直在尝试使用带有令牌的 CSOM/REST 身份验证承载 header 请求向共享点发出请求。它与下面这个问题有关:
只有一种 link/example 有效,其他所有方法都无效,包括 android ADAL 方法。
https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/
它们似乎 return 不像一个令牌,当我们在 JWT 解析器中查看令牌时,我们可以看到 scp 值不同,失败的有 user_impersonate,但工作的有 AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write。 aud url 也不同,这是其中之一还是两者都有问题,我该如何让它工作?
这是失败的:
{
"aud": "https://srmukdev.onmicrosoft.com/3Squared-Api-Test",
"iss": "...",
"iat": ...,
"nbf": ...,
"exp": ..,
"acr": "...",
"aio": "...",
"amr": [
"pwd",
"mfa"
],
"appid": "...",
"appidacr": "0",
"e_exp": ...,
"family_name": "...",
"given_name": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"onprem_sid": "...",
"platf": "3",
"scp": "user_impersonation",
"sub": "...",
"tid": "...",
"unique_name": "...",
"upn": "...",
"ver": "1.0"
}
这是有效的:
{
"aud": "https://srmukdev.sharepoint.com/",
"iss": "...",
"iat": ...,
"nbf": ...,
"exp": ...,
"acr": "...",
"aio": "...",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "...",
"appid": "...",
"appidacr": "0",
"e_exp": ...,
"family_name": "...",
"given_name": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"onprem_sid": "...",
"platf": "3",
"puid": "...",
"scp": "AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write",
"sub": "...",
"tid": "...",
"unique_name": "...",
"upn": "...",
"ver": "1.0"
}
通过检查其 aud 声明,访问令牌针对特定资源。第一个令牌用于对您的自定义资源进行身份验证。
要获取特定资源的token,我们可以使用参数resource来指定我们要向哪个资源请求token。例如,如果我想获取 Microsoft Graph 资源的令牌,我们可以构造如下请求:
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd
如果您想获取https://srmukdev.sharepoint.com/的访问令牌,您需要根据您使用的流程在请求中为https://srmukdev.sharepoint.com/分配resource参数的值。
有关 Azure AD 支持获取访问令牌的流程的更多详细信息,您可以参考下面的link: