Azure Web 应用程序 - Azure AD - SPA - response_type 中缺少“令牌”

Azure Web App - Azure AD - SPA - `token` missing from response_type

我们正在使用 Azure Web 应用程序并使用该 Web 应用程序的身份验证来强制执行 Azure AD 身份验证。我们有一些工作,但正在尝试获取访问令牌,因为我们正在使用它来锁定 API 调用。查看网络调用,对 MSFT 端点的授权调用只有 "open_id code" 响应类型。显然,我可以将响应的代码转换为访问令牌,但我也应该能够在回调中获得访问令牌。

我已经检查过清单上的 oauth2AllowImplicitFlow 是否设置为 true,但我能找到的就这些了。

知道如何将 "token" 添加到 response_type 列表中吗?

open_id:这是一个范围,不是响应类型。你可能是说 id_token

code:表示应用服务正在执行Authorization Code flow。它使用返回的代码来交换实际的访问令牌。

据我了解,如果设置正确,您使用的是内置 AppService authentication. You probably don't need to change how AppService authenticates you. There is a good tutorial for it, but basically all you need to do is to call GET /.auth/me in your SPA to receive the tokens. GET /.auth/refresh will refresh 令牌。

GET https://xxx.azurewebsites.net/.auth/me


[
  {
    "access_token": "...",
    "expires_on": "2020-03-20T09:49:01.0000000Z",
    "id_token": "ey...",
    "provider_name": "aad",
    "refresh_token": "...",
    "user_claims": [
      {
        "typ": "foo",
        "val": "bar"
      },
      ...
    ],
    "user_id": "..."
  }
]

如果你真的想尝试搞乱内置的身份验证,你可以尝试更改它(取自上面提到的 "refresh" 说明)。由于刷新功能,您可能仍然需要执行部分操作。

Azure Active Directory: In https://resources.azure.com, do the following steps: 1. At the top of the page, select Read/Write.

  1. In the left browser, navigate to subscriptions > resourceGroups > > providers > Microsoft.Web > sites > > config > authsettings.

  2. Click Edit.

  3. Modify the following property. Replace with the Azure Active Directory application ID of the service you want to access.

"additionalLoginParams": ["response_type=code id_token", "resource=<app_id>"]