adal4j 授权问题
adal4j Auth issue
您好,我写了一个使用 Microsoft 活动目录的守护程序应用程序,该应用程序在开发环境中运行良好,但在生产环境(AWS EC2 实例)中出现此错误:
java.lang.Exception: Server returned error in RSTR - ErrorCode: FailedAuthentication : FaultMessage: MSIS7068 : accès refusé.
at com.microsoft.aad.adal4j.WSTrustResponse.parse(WSTrustResponse.java:103) ~[adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.WSTrustRequest.execute(WSTrustRequest.java:69) ~[adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.AuthenticationContext.processPasswordGrant(AuthenticationContext.java:790) ~[adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.AuthenticationContext.access[=10=]0(AuthenticationContext.java:63) ~[adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.AuthenticationContext.call(AuthenticationContext.java:129) [adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.AuthenticationContext.call(AuthenticationContext.java:119) [adal4j-1.0.0.jar:1.0.0]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_171]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_171]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_171]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_171]
2018-07-19 08:40:02.829 ERROR 5072 --- [nio-8083-exec-1] f.a.agent.reservation.utils.OAuth : java.util.concurrent.ExecutionException: java.lang.Exception: Server returned error in RSTR - ErrorCode: FailedAuthentication : FaultMessage: MSIS7068 : accès refusé.
我不明白这里发生了什么,因为 Dev 和 Prod envs 是 ISO。
这是连接到活动目录的class:
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import lombok.extern.java.Log;
@Log
public class OAuth {
private static String TOKEN = null;
private final static String AUTHORITY_URL = "https://login.microsoftonline.com/common/";
private final static String GRAPH_URL = "https://graph.microsoft.com";
private final static String CLIENT_ID = "*****";
private final static String USERNAME = "*****";
private final static String PASSWORD = "*****";
public static final String getToken() throws Exception {
if (null == TOKEN) {
AuthenticationContext context;
AuthenticationResult result = null;
ExecutorService service = null;
log.info("Auth with : " + USERNAME);
try {
service = Executors.newFixedThreadPool(1);
context = new AuthenticationContext(AUTHORITY_URL, false, service);
Future<AuthenticationResult> future = context.acquireToken(GRAPH_URL, CLIENT_ID, USERNAME, PASSWORD, null);
result = future.get();
}catch (Exception e){
log.severe(e.toString());
} finally {
service.shutdown();
}
if (result == null) {
log.severe("AUTH FAILLURE");
} else {
TOKEN = result.getAccessToken();
}
}
return TOKEN;
}
}
谢谢。
对于您正在使用的流程(resource owner password credential - 通过直接提供用户凭据),您必须使用特定于租户的端点。这意味着,您必须更改:
private final static String AUTHORITY_URL = "https://login.microsoftonline.com/common/";
到
private final static String AUTHORITY_URL = "https://login.microsoftonline.com/<tenant_id>/";
您可以在哪里使用租户域(即 yourdomain.onmicrosoft.com)或 <tenant_id> 中的 tenant_id。
我刚刚通过尝试使用从我公司网络获得的刷新令牌进行连接找到了这个问题的根源。
"error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: xxxxx\r\nCorrelation ID: xxxxxx b\r\nTimestamp: 2018-07-20 12:34:45Z","error":"interaction_required"
所以我知道我公司网络内部不需要双因素身份验证,但在公司网络外部需要。
我将不得不联系我公司的office 365管理员,以获得特殊帐户进行身份验证,而无需双因素身份验证。
您好,我写了一个使用 Microsoft 活动目录的守护程序应用程序,该应用程序在开发环境中运行良好,但在生产环境(AWS EC2 实例)中出现此错误:
java.lang.Exception: Server returned error in RSTR - ErrorCode: FailedAuthentication : FaultMessage: MSIS7068 : accès refusé.
at com.microsoft.aad.adal4j.WSTrustResponse.parse(WSTrustResponse.java:103) ~[adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.WSTrustRequest.execute(WSTrustRequest.java:69) ~[adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.AuthenticationContext.processPasswordGrant(AuthenticationContext.java:790) ~[adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.AuthenticationContext.access[=10=]0(AuthenticationContext.java:63) ~[adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.AuthenticationContext.call(AuthenticationContext.java:129) [adal4j-1.0.0.jar:1.0.0]
at com.microsoft.aad.adal4j.AuthenticationContext.call(AuthenticationContext.java:119) [adal4j-1.0.0.jar:1.0.0]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_171]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_171]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_171]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_171]
2018-07-19 08:40:02.829 ERROR 5072 --- [nio-8083-exec-1] f.a.agent.reservation.utils.OAuth : java.util.concurrent.ExecutionException: java.lang.Exception: Server returned error in RSTR - ErrorCode: FailedAuthentication : FaultMessage: MSIS7068 : accès refusé.
我不明白这里发生了什么,因为 Dev 和 Prod envs 是 ISO。
这是连接到活动目录的class:
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import lombok.extern.java.Log;
@Log
public class OAuth {
private static String TOKEN = null;
private final static String AUTHORITY_URL = "https://login.microsoftonline.com/common/";
private final static String GRAPH_URL = "https://graph.microsoft.com";
private final static String CLIENT_ID = "*****";
private final static String USERNAME = "*****";
private final static String PASSWORD = "*****";
public static final String getToken() throws Exception {
if (null == TOKEN) {
AuthenticationContext context;
AuthenticationResult result = null;
ExecutorService service = null;
log.info("Auth with : " + USERNAME);
try {
service = Executors.newFixedThreadPool(1);
context = new AuthenticationContext(AUTHORITY_URL, false, service);
Future<AuthenticationResult> future = context.acquireToken(GRAPH_URL, CLIENT_ID, USERNAME, PASSWORD, null);
result = future.get();
}catch (Exception e){
log.severe(e.toString());
} finally {
service.shutdown();
}
if (result == null) {
log.severe("AUTH FAILLURE");
} else {
TOKEN = result.getAccessToken();
}
}
return TOKEN;
}
}
谢谢。
对于您正在使用的流程(resource owner password credential - 通过直接提供用户凭据),您必须使用特定于租户的端点。这意味着,您必须更改:
private final static String AUTHORITY_URL = "https://login.microsoftonline.com/common/";
到
private final static String AUTHORITY_URL = "https://login.microsoftonline.com/<tenant_id>/";
您可以在哪里使用租户域(即 yourdomain.onmicrosoft.com)或 <tenant_id> 中的 tenant_id。
我刚刚通过尝试使用从我公司网络获得的刷新令牌进行连接找到了这个问题的根源。
"error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: xxxxx\r\nCorrelation ID: xxxxxx b\r\nTimestamp: 2018-07-20 12:34:45Z","error":"interaction_required"
所以我知道我公司网络内部不需要双因素身份验证,但在公司网络外部需要。
我将不得不联系我公司的office 365管理员,以获得特殊帐户进行身份验证,而无需双因素身份验证。