无法使用 msal-browser 静默或通过重定向获取令牌
Unable to acquire token silently or via redirect using msal-browser
我正在尝试开发一个 VueJS 单页应用程序,它将您登录到 AAD,以便我可以获得访问令牌来调用各种 API(例如 Graph)。
用户登录后,您必须获取令牌,有两种方法可以做到这一点:静默(如果失败,则使用重定向体验)。
但是,我无法使用这两种方法获取令牌:
export default class AuthService {
constructor() {
console.log('[AuthService.constructor] started constructor');
this.app = new Msal.PublicClientApplication(msalConfig);
this.signInType = 'loginRedirect';
}
init = async () => {
console.log('[AuthService.init] started init');
await this.app.handleRedirectPromise().catch(error => {
console.log(error);
});
try {
let signedInUser = this.app.getAllAccounts()[0];
// if no accounts, perform signin
if (signedInUser === undefined) {
alert(this.app.getAllAccounts().length == 0)
await this.signIn();
signedInUser = this.app.getAllAccounts()[0];
console.log("user has been forced to sign in")
}
console.log("Signed in user is: ", signedInUser);
// Acquire Graph token
try {
var graphToken = await this.app.acquireTokenSilent(authScopes.graphApi);
console.log("(Silent) Graph token is ", graphToken);
alert(graphToken);
} catch (error) {
alert("Error when using silent: " + error)
try {
var graphToken = await this.app.acquireTokenRedirect(authScopes.graphApi);
} catch (error) {
alert ("Error when using redirect is: " + error)
}
alert("(Redirect) Graph token is " + graphToken);
}
} catch (error) {
console.log('[AuthService.init] handleRedirectPromise error', error);
}
}
signIn = async () => {
console.log('[AuthService.signIn] signInType:', this.signInType);
this.app.loginRedirect("user.read", "https://xxx.azurewebsites.net/user_impersonation");
}
signOut = () => {
this.app.logout();
}
}
加载 SPA 后,我将被重定向到 AAD 登录页面。
然后我收到以下警报提示:
Error when using silent: ClientAuthError: no_account_in_silent_request: Please pass an account object, silent flow is not supported without account information
Error when using redirect is: BrowserAuthError: interaction_in_progress: Interaction is currently in progress. Please ensure that this interaction has been completed before calling an interactive API.
(Redirect) Graph token is undefined
即使我已登录,为什么 acquireTokenSilent 认为我没有登录?
BrowserAuthError: interaction_in_progress 是什么意思?我在网上搜索了这个,我找到的唯一结果是因为有人使用了过时版本的 msal-browser。就我而言,我使用的是最新最好的 (v2.0.1)。
更新 1:
我已经使用以下代码摘录修复了我的静默令牌获取问题:
const silentRequest = {
account: signedInUser,
scopes: authScopes.graphApi.scopes1
}
var graphToken = await this.app.acquireTokenSilent(silentRequest);
看起来我以错误的格式传递了我的范围(即应该传递一个数组,但它实际上不是一个数组!)
但是 Microsoft 文档中关于如何使用 acquireTokenSilent
存在差异
在 here, we're told to just pass in a set of scopes to the acquireTokenSilent method. However, over here 上,我们被告知还要将 accountInfo 与范围一起传递。
让我们看看我现在是否可以 acquireTokenRedirect 工作...
更新二:
经过反复试验,我终于 acquireTokenRedirect 工作了。
import * as Msal from '@azure/msal-browser';
const msalConfig = {
auth: {
clientId: "XYZ",
authority: "ABC",
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: true
}
};
export default class AuthenticationService {
constructor() {
this.app = new Msal.PublicClientApplication(msalConfig)
}
init = async () => {
try {
let tokenResponse = await this.app.handleRedirectPromise();
let accountObj;
if (tokenResponse) {
accountObj = tokenResponse.account;
} else {
accountObj = this.app.getAllAccounts()[0];
}
if (accountObj && tokenResponse) {
console.log("[AuthService.init] Got valid accountObj and tokenResponse")
} else if (accountObj) {
console.log("[AuthService.init] User has logged in, but no tokens.");
try {
tokenResponse = await this.app.acquireTokenSilent({
account: this.app.getAllAccounts()[0],
scopes: ["user.read"]
})
} catch(err) {
await this.app.acquireTokenRedirect({scopes: ["user.read"]});
}
} else {
console.log("[AuthService.init] No accountObject or tokenResponse present. User must now login.");
await this.app.loginRedirect({scopes: ["user.read"]})
}
} catch (error) {
console.error("[AuthService.init] Failed to handleRedirectPromise()", error)
}
}
}
检查您在 Azure AD 中的应用程序注册。
MSAL v2 需要迁移 RedirectURI。
Azure AD warning: This app has implicit grant settings enabled. If you are using any of these URIs in a SPA with MSAL.js 2.0, you should migrate URIs.
Migrate URI Message: The latest version of MSAL.js uses the authorization code flow with PKCE and CORS.
不得不经历一些试验和错误,但最终 acquireTokenRedirect 工作成功,这是可能对其他人有帮助的摘录:
import * as Msal from '@azure/msal-browser';
const msalConfig = {
auth: {
clientId: "XYZ",
authority: "ABC",
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: true
}
};
export default class AuthenticationService {
constructor() {
this.app = new Msal.PublicClientApplication(msalConfig)
}
init = async () => {
try {
let tokenResponse = await this.app.handleRedirectPromise();
let accountObj;
if (tokenResponse) {
accountObj = tokenResponse.account;
} else {
accountObj = this.app.getAllAccounts()[0];
}
if (accountObj && tokenResponse) {
console.log("[AuthService.init] Got valid accountObj and tokenResponse")
} else if (accountObj) {
console.log("[AuthService.init] User has logged in, but no tokens.");
try {
tokenResponse = await this.app.acquireTokenSilent({
account: this.app.getAllAccounts()[0],
scopes: ["user.read"]
})
} catch(err) {
await this.app.acquireTokenRedirect({scopes: ["user.read"]});
}
} else {
console.log("[AuthService.init] No accountObject or tokenResponse present. User must now login.");
await this.app.loginRedirect({scopes: ["user.read"]})
}
} catch (error) {
console.error("[AuthService.init] Failed to handleRedirectPromise()", error)
}
}
}
我正在尝试开发一个 VueJS 单页应用程序,它将您登录到 AAD,以便我可以获得访问令牌来调用各种 API(例如 Graph)。
用户登录后,您必须获取令牌,有两种方法可以做到这一点:静默(如果失败,则使用重定向体验)。
但是,我无法使用这两种方法获取令牌:
export default class AuthService {
constructor() {
console.log('[AuthService.constructor] started constructor');
this.app = new Msal.PublicClientApplication(msalConfig);
this.signInType = 'loginRedirect';
}
init = async () => {
console.log('[AuthService.init] started init');
await this.app.handleRedirectPromise().catch(error => {
console.log(error);
});
try {
let signedInUser = this.app.getAllAccounts()[0];
// if no accounts, perform signin
if (signedInUser === undefined) {
alert(this.app.getAllAccounts().length == 0)
await this.signIn();
signedInUser = this.app.getAllAccounts()[0];
console.log("user has been forced to sign in")
}
console.log("Signed in user is: ", signedInUser);
// Acquire Graph token
try {
var graphToken = await this.app.acquireTokenSilent(authScopes.graphApi);
console.log("(Silent) Graph token is ", graphToken);
alert(graphToken);
} catch (error) {
alert("Error when using silent: " + error)
try {
var graphToken = await this.app.acquireTokenRedirect(authScopes.graphApi);
} catch (error) {
alert ("Error when using redirect is: " + error)
}
alert("(Redirect) Graph token is " + graphToken);
}
} catch (error) {
console.log('[AuthService.init] handleRedirectPromise error', error);
}
}
signIn = async () => {
console.log('[AuthService.signIn] signInType:', this.signInType);
this.app.loginRedirect("user.read", "https://xxx.azurewebsites.net/user_impersonation");
}
signOut = () => {
this.app.logout();
}
}
加载 SPA 后,我将被重定向到 AAD 登录页面。
然后我收到以下警报提示:
Error when using silent: ClientAuthError: no_account_in_silent_request: Please pass an account object, silent flow is not supported without account information
Error when using redirect is: BrowserAuthError: interaction_in_progress: Interaction is currently in progress. Please ensure that this interaction has been completed before calling an interactive API.
(Redirect) Graph token is undefined
即使我已登录,为什么 acquireTokenSilent 认为我没有登录?
BrowserAuthError: interaction_in_progress 是什么意思?我在网上搜索了这个,我找到的唯一结果是因为有人使用了过时版本的 msal-browser。就我而言,我使用的是最新最好的 (v2.0.1)。
更新 1:
我已经使用以下代码摘录修复了我的静默令牌获取问题:
const silentRequest = {
account: signedInUser,
scopes: authScopes.graphApi.scopes1
}
var graphToken = await this.app.acquireTokenSilent(silentRequest);
看起来我以错误的格式传递了我的范围(即应该传递一个数组,但它实际上不是一个数组!)
但是 Microsoft 文档中关于如何使用 acquireTokenSilent
在 here, we're told to just pass in a set of scopes to the acquireTokenSilent method. However, over here 上,我们被告知还要将 accountInfo 与范围一起传递。
让我们看看我现在是否可以 acquireTokenRedirect 工作...
更新二:
经过反复试验,我终于 acquireTokenRedirect 工作了。
import * as Msal from '@azure/msal-browser';
const msalConfig = {
auth: {
clientId: "XYZ",
authority: "ABC",
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: true
}
};
export default class AuthenticationService {
constructor() {
this.app = new Msal.PublicClientApplication(msalConfig)
}
init = async () => {
try {
let tokenResponse = await this.app.handleRedirectPromise();
let accountObj;
if (tokenResponse) {
accountObj = tokenResponse.account;
} else {
accountObj = this.app.getAllAccounts()[0];
}
if (accountObj && tokenResponse) {
console.log("[AuthService.init] Got valid accountObj and tokenResponse")
} else if (accountObj) {
console.log("[AuthService.init] User has logged in, but no tokens.");
try {
tokenResponse = await this.app.acquireTokenSilent({
account: this.app.getAllAccounts()[0],
scopes: ["user.read"]
})
} catch(err) {
await this.app.acquireTokenRedirect({scopes: ["user.read"]});
}
} else {
console.log("[AuthService.init] No accountObject or tokenResponse present. User must now login.");
await this.app.loginRedirect({scopes: ["user.read"]})
}
} catch (error) {
console.error("[AuthService.init] Failed to handleRedirectPromise()", error)
}
}
}
检查您在 Azure AD 中的应用程序注册。
MSAL v2 需要迁移 RedirectURI。
Azure AD warning: This app has implicit grant settings enabled. If you are using any of these URIs in a SPA with MSAL.js 2.0, you should migrate URIs.
Migrate URI Message: The latest version of MSAL.js uses the authorization code flow with PKCE and CORS.
不得不经历一些试验和错误,但最终 acquireTokenRedirect 工作成功,这是可能对其他人有帮助的摘录:
import * as Msal from '@azure/msal-browser';
const msalConfig = {
auth: {
clientId: "XYZ",
authority: "ABC",
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: true
}
};
export default class AuthenticationService {
constructor() {
this.app = new Msal.PublicClientApplication(msalConfig)
}
init = async () => {
try {
let tokenResponse = await this.app.handleRedirectPromise();
let accountObj;
if (tokenResponse) {
accountObj = tokenResponse.account;
} else {
accountObj = this.app.getAllAccounts()[0];
}
if (accountObj && tokenResponse) {
console.log("[AuthService.init] Got valid accountObj and tokenResponse")
} else if (accountObj) {
console.log("[AuthService.init] User has logged in, but no tokens.");
try {
tokenResponse = await this.app.acquireTokenSilent({
account: this.app.getAllAccounts()[0],
scopes: ["user.read"]
})
} catch(err) {
await this.app.acquireTokenRedirect({scopes: ["user.read"]});
}
} else {
console.log("[AuthService.init] No accountObject or tokenResponse present. User must now login.");
await this.app.loginRedirect({scopes: ["user.read"]})
}
} catch (error) {
console.error("[AuthService.init] Failed to handleRedirectPromise()", error)
}
}
}