无法使用 msal-browser 静默或通过重定向获取令牌

Unable to acquire token silently or via redirect using msal-browser

我正在尝试开发一个 VueJS 单页应用程序,它将您登录到 AAD,以便我可以获得访问令牌来调用各种 API(例如 Graph)。

用户登录后,您必须获取令牌,有两种方法可以做到这一点:静默(如果失败,则使用重定向体验)。

但是,我无法使用这两种方法获取令牌:

export default class AuthService {
  constructor() {
    console.log('[AuthService.constructor] started constructor');

    this.app = new Msal.PublicClientApplication(msalConfig);
    this.signInType = 'loginRedirect';
  }

  init = async () => {
    console.log('[AuthService.init] started init');

    await this.app.handleRedirectPromise().catch(error => {
      console.log(error);
    });


    try {

      let signedInUser = this.app.getAllAccounts()[0];

      //  if no accounts, perform signin
      if (signedInUser === undefined) {
        alert(this.app.getAllAccounts().length == 0)
        await this.signIn();
        signedInUser = this.app.getAllAccounts()[0];
        console.log("user has been forced to sign in")
      }

      console.log("Signed in user is: ", signedInUser);

      // Acquire Graph token
      try {
        var graphToken = await this.app.acquireTokenSilent(authScopes.graphApi);
        console.log("(Silent) Graph token is ", graphToken);
        alert(graphToken);
      } catch (error) {
        alert("Error when using silent: " + error)
        try {
          var graphToken = await this.app.acquireTokenRedirect(authScopes.graphApi);
        } catch (error) {
          alert ("Error when using redirect is: " +  error)
        }

        alert("(Redirect) Graph token is " + graphToken);
      }

    } catch (error) {
      console.log('[AuthService.init] handleRedirectPromise error', error);
    }
  }

  signIn = async () => {
    console.log('[AuthService.signIn] signInType:', this.signInType);
    this.app.loginRedirect("user.read", "https://xxx.azurewebsites.net/user_impersonation");
  }

  signOut = () => {
    this.app.logout();
  }
}

加载 SPA 后,我将被重定向到 AAD 登录页面。

然后我收到以下警报提示:

Error when using silent: ClientAuthError: no_account_in_silent_request: Please pass an account object, silent flow is not supported without account information

Error when using redirect is: BrowserAuthError: interaction_in_progress: Interaction is currently in progress. Please ensure that this interaction has been completed before calling an interactive API.

(Redirect) Graph token is undefined

即使我已登录,为什么 acquireTokenSilent 认为我没有登录?

BrowserAuthError: interaction_in_progress 是什么意思?我在网上搜索了这个,我找到的唯一结果是因为有人使用了过时版本的 msal-browser。就我而言,我使用的是最新最好的 (v2.0.1)。


更新 1:

我已经使用以下代码摘录修复了我的静默令牌获取问题:

const silentRequest = {
  account: signedInUser,
  scopes: authScopes.graphApi.scopes1
}
var graphToken = await this.app.acquireTokenSilent(silentRequest);

看起来我以错误的格式传递了我的范围(即应该传递一个数组,但它实际上不是一个数组!)

但是 Microsoft 文档中关于如何使用 acquireTokenSilent

存在差异

here, we're told to just pass in a set of scopes to the acquireTokenSilent method. However, over here 上,我们被告知还要将 accountInfo 与范围一起传递。

让我们看看我现在是否可以 acquireTokenRedirect 工作...


更新二: 经过反复试验,我终于 acquireTokenRedirect 工作了。

import * as Msal from '@azure/msal-browser';

const msalConfig = {
  auth: {
    clientId:    "XYZ",
    authority:   "ABC",
  },
  cache: {
    cacheLocation: 'localStorage',
    storeAuthStateInCookie: true
  }
};

export default class AuthenticationService {

  constructor() {

    this.app = new Msal.PublicClientApplication(msalConfig)
  }

  init = async () => {

    try {
      let tokenResponse = await this.app.handleRedirectPromise();

      let accountObj;
      if (tokenResponse) {
        accountObj = tokenResponse.account;
      } else {
        accountObj = this.app.getAllAccounts()[0];
      }

      if (accountObj && tokenResponse) {
        console.log("[AuthService.init] Got valid accountObj and tokenResponse")
      } else if (accountObj) {
        console.log("[AuthService.init] User has logged in, but no tokens.");
        try {
          tokenResponse = await this.app.acquireTokenSilent({
            account: this.app.getAllAccounts()[0],
            scopes: ["user.read"]
          })
        } catch(err) {
          await this.app.acquireTokenRedirect({scopes: ["user.read"]});
        }
      } else {
        console.log("[AuthService.init] No accountObject or tokenResponse present. User must now login.");
        await this.app.loginRedirect({scopes: ["user.read"]})
      }
    } catch (error) {
      console.error("[AuthService.init] Failed to handleRedirectPromise()", error)
    }

  }

}

检查您在 Azure AD 中的应用程序注册。

MSAL v2 需要迁移 RedirectURI。

Azure AD warning: This app has implicit grant settings enabled. If you are using any of these URIs in a SPA with MSAL.js 2.0, you should migrate URIs.

Migrate URI Message: The latest version of MSAL.js uses the authorization code flow with PKCE and CORS.

不得不经历一些试验和错误,但最终 acquireTokenRedirect 工作成功,这是可能对其他人有帮助的摘录:

import * as Msal from '@azure/msal-browser';

const msalConfig = {
  auth: {
    clientId:    "XYZ",
    authority:   "ABC",
  },
  cache: {
    cacheLocation: 'localStorage',
    storeAuthStateInCookie: true
  }
};

export default class AuthenticationService {

  constructor() {

    this.app = new Msal.PublicClientApplication(msalConfig)
  }

  init = async () => {

    try {
      let tokenResponse = await this.app.handleRedirectPromise();

      let accountObj;
      if (tokenResponse) {
        accountObj = tokenResponse.account;
      } else {
        accountObj = this.app.getAllAccounts()[0];
      }

      if (accountObj && tokenResponse) {
        console.log("[AuthService.init] Got valid accountObj and tokenResponse")
      } else if (accountObj) {
        console.log("[AuthService.init] User has logged in, but no tokens.");
        try {
          tokenResponse = await this.app.acquireTokenSilent({
            account: this.app.getAllAccounts()[0],
            scopes: ["user.read"]
          })
        } catch(err) {
          await this.app.acquireTokenRedirect({scopes: ["user.read"]});
        }
      } else {
        console.log("[AuthService.init] No accountObject or tokenResponse present. User must now login.");
        await this.app.loginRedirect({scopes: ["user.read"]})
      }
    } catch (error) {
      console.error("[AuthService.init] Failed to handleRedirectPromise()", error)
    }

  }

}