Azure UCWA 身份验证中的 Skype for Business - 不接受颁发的令牌
Skype for Business in Azure UCWA authentication - Issued token not accepted
我正在使用 UCWA 将 Java 应用程序与 Azure 中的 Skype for Business 集成,这是我执行的操作列表。当一切似乎都在工作并被覆盖时,我被困在意想不到的地方。解决方案可能很简单,比如添加附加权限,但我找不到。另外,我相信这个 post 会对陷入早期阶段的人有所帮助。
在 Azure 门户中注册应用程序:
注册为本机应用程序
将所需权限添加到所有 Skype for Business Online 权限
授予所有用户权限
获取应用程序ID(稍后将用作客户端ID)
HTTP Get,顺便说一句:(租户)应替换为实际租户名称
要求:
curl -X GET \
http://lyncdiscover.(tenant).onmicrosoft.com/ \
-H 'cache-control: no-cache' \
-H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
-H 'postman-token: b45b8fee-852f-4678-3631-3a06727d99fc' \
-F Capture=undefined
回复:
`{
"_links": {
"self": {
"href": "https://webdir0a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com"
},
"xframe": {
"href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/xframe"
},
"redirect": {
"href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com"
}
}
}`
HTTP 获取重定向 url
curl -X GET \
'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com' \
-H 'cache-control: no-cache' \
-H 'postman-token: 273cad2b-a9a9-9882-8634-b52f9a9976b5'
{
"_links": {
"self": {
"href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com"
},
"user": {
"href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com"
},
"xframe": {
"href": "https://webdir3a.online.lync.com/Autodiscover/XFrame/XFrame.html"
}
}
}
获取用户url
curl -X GET \
'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com' \
-H 'cache-control: no-cache' \
-H 'postman-token: af9ab0bd-dc6f-b2f3-e7d9-23941aac5537'
响应:401 未经授权
读取响应 http header 并提取
`authorization_uri="https://login.windows.net/common/oauth2/authorize"`
Post授权url:
client+id = 来自 Azure 门户应用程序注册的应用程序 ID
resource=00000004-0000-0ff1-ce00-000000000000(SfB 资源 ID)
curl -X POST \
https://login.windows.net/common/oauth2/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
-H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \
-d 'resource=00000004-0000-0ff1-ce00-000000000000&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid'
回复:
`{
"token_type": "Bearer",
"scope": "Contacts.ReadWrite Conversations.Initiate Conversations.Receive Meetings.ReadWrite User.ReadWrite",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1518196708",
"not_before": "1518192808",
"resource": "00000004-0000-0ff1-ce00-000000000000",
"access_token": "eyJ0...",
"refresh_token": "AQABA...",
"id_token": "eyJ0e..."
}`
是的,我得到了实际的令牌,一切似乎都很好,但事实并非如此。当我再次使用此令牌获取用户 url 时,现在的响应是 403 Forbidden,我被卡住了。
`curl -X GET \
'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com' \
-H 'authorization: Bearer eyJ0eXA...' \
-H 'cache-control: no-cache' \
-H 'postman-token: ff0a80bd-5025-5b28-3f1c-cf9205890812'`
响应:403 禁止
` <body>
<div id="header">
<h1>Server Error</h1>
</div>
<div id="content">
<div class="content-container">
<fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset>
</div>
</div>
</body>`
错误在步骤#4,参数资源。正确的请求使用用户服务器 url 作为资源参数:
curl -X POST \
https://login.windows.net/common/oauth2/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
-H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \
-d 'resource=https://webdir3a.online.lync.com&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid
然后使用收到的令牌从用户 url 获取应用程序 url。
检索到应用程序 url 后,必须发布新的令牌请求以获取应用程序服务器的令牌,在我的例子中是:
curl -X POST \
https://login.windows.net/common/oauth2/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
-H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \
-d 'resource=https://webpoolsn23a14.infra.lync.com&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid
此令牌最终可用于创建应用程序和其他消息服务。
我正在使用 UCWA 将 Java 应用程序与 Azure 中的 Skype for Business 集成,这是我执行的操作列表。当一切似乎都在工作并被覆盖时,我被困在意想不到的地方。解决方案可能很简单,比如添加附加权限,但我找不到。另外,我相信这个 post 会对陷入早期阶段的人有所帮助。
在 Azure 门户中注册应用程序: 注册为本机应用程序 将所需权限添加到所有 Skype for Business Online 权限 授予所有用户权限 获取应用程序ID(稍后将用作客户端ID)
HTTP Get,顺便说一句:(租户)应替换为实际租户名称 要求:
curl -X GET \ http://lyncdiscover.(tenant).onmicrosoft.com/ \ -H 'cache-control: no-cache' \ -H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \ -H 'postman-token: b45b8fee-852f-4678-3631-3a06727d99fc' \ -F Capture=undefined
回复:
`{
"_links": {
"self": {
"href": "https://webdir0a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com"
},
"xframe": {
"href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/xframe"
},
"redirect": {
"href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com"
}
}
}`
HTTP 获取重定向 url
curl -X GET \ 'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com' \ -H 'cache-control: no-cache' \ -H 'postman-token: 273cad2b-a9a9-9882-8634-b52f9a9976b5'{ "_links": { "self": { "href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com" }, "user": { "href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com" }, "xframe": { "href": "https://webdir3a.online.lync.com/Autodiscover/XFrame/XFrame.html" } } }获取用户url
curl -X GET \ 'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com' \ -H 'cache-control: no-cache' \ -H 'postman-token: af9ab0bd-dc6f-b2f3-e7d9-23941aac5537'
响应:401 未经授权 读取响应 http header 并提取
`authorization_uri="https://login.windows.net/common/oauth2/authorize"`
Post授权url: client+id = 来自 Azure 门户应用程序注册的应用程序 ID resource=00000004-0000-0ff1-ce00-000000000000(SfB 资源 ID)
curl -X POST \ https://login.windows.net/common/oauth2/token \ -H 'cache-control: no-cache' \ -H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \ -H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \ -d 'resource=00000004-0000-0ff1-ce00-000000000000&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid'
回复:
`{
"token_type": "Bearer",
"scope": "Contacts.ReadWrite Conversations.Initiate Conversations.Receive Meetings.ReadWrite User.ReadWrite",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1518196708",
"not_before": "1518192808",
"resource": "00000004-0000-0ff1-ce00-000000000000",
"access_token": "eyJ0...",
"refresh_token": "AQABA...",
"id_token": "eyJ0e..."
}`
是的,我得到了实际的令牌,一切似乎都很好,但事实并非如此。当我再次使用此令牌获取用户 url 时,现在的响应是 403 Forbidden,我被卡住了。
`curl -X GET \
'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com' \
-H 'authorization: Bearer eyJ0eXA...' \
-H 'cache-control: no-cache' \
-H 'postman-token: ff0a80bd-5025-5b28-3f1c-cf9205890812'`
响应:403 禁止
` <body>
<div id="header">
<h1>Server Error</h1>
</div>
<div id="content">
<div class="content-container">
<fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset>
</div>
</div>
</body>`
错误在步骤#4,参数资源。正确的请求使用用户服务器 url 作为资源参数:
curl -X POST \
https://login.windows.net/common/oauth2/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
-H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \
-d 'resource=https://webdir3a.online.lync.com&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid
然后使用收到的令牌从用户 url 获取应用程序 url。 检索到应用程序 url 后,必须发布新的令牌请求以获取应用程序服务器的令牌,在我的例子中是:
curl -X POST \
https://login.windows.net/common/oauth2/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
-H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \
-d 'resource=https://webpoolsn23a14.infra.lync.com&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid
此令牌最终可用于创建应用程序和其他消息服务。