Oauth 身份验证令牌在 powershell 中失败但在 Postman 中没有
Oauth Authentication Token fails in powershell but not in Postman
我的 powershell 脚本中有以下逻辑试图获取 auth/bearer 令牌:
$token = curl --location --request POST 'https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token' `
--form 'grant_type=client_credentials' `
--form 'client_secret=$DEPLOYMENT_CLIENT_SECRET' `
--form 'client_id=$DEPLOYMENT_CLIENT_ID' `
--form 'resource=https://management.azure.com'
我看到的错误:
PS /workspaces/testproject> ./curltest.ps1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 981 100 419 100 562 1557 2089 --:--:-- --:--:-- --:--:-- 3646
===========
{"error":"invalid_request","error_description":"AADSTS901002: The 'resource' request parameter is not supported.\r\nTrace ID: 5b54cd7f-6b2d-40fc-9122-7b3c26a56600\r\nCorrelation ID: asdf-asdf-asdf-asdf-\r\nTimestamp: 2022-05-04 19:22:06Z","error_codes":[901002],"timestamp":"2022-05-04 19:22:06Z","trace_id":"asdf-asdf-asdf-","correlation_id":"asdf-asdf-asdf-asdf-asdf"}
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0^C
所以我删除了这样的资源:
$token = curl --location --request POST 'https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token' `
--form 'grant_type=client_credentials' `
--form 'client_secret=$DEPLOYMENT_CLIENT_SECRET' `
--form 'client_id=$DEPLOYMENT_CLIENT_ID'
#--form 'resource=https://management.azure.com'
但是我现在看到的错误是这样的:
PS /workspaces/testproject> ./curltest.ps1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1000 100 563 100 437 2025 1571 --:--:-- --:--:-- --:--:-- 3597
===========
{"error":"invalid_request","error_description":"AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request.\r\nTrace ID: asdf-asdf-asdf-asdf-asdf\r\nCorrelation ID: asdf-asdf-asdf-asdf-asdf\r\nTimestamp: 2022-05-04 19:23:11Z","error_codes":[90014],"timestamp":"2022-05-04 19:23:11Z","trace_id":"asdf-asdf-asdf-asdf","correlation_id":"asdf-asdf-asdf-asdf","error_uri":"https://login.microsoftonline.com/error?code=90014"}
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0^C
在 Postman 中,我可以这样做:
我可以添加/删除资源参数。无论哪种方式,我都会得到一个令牌。租户 ID、客户端 ID 和客户端密码都与 powershell 脚本中使用的相匹配。
如果我将使用 POSTMAN 生成的令牌插入脚本并使用它来 curl GET 调用我自己的 azure fn,它就可以工作。
我确定我缺少的是一些简单的东西。任何帮助将不胜感激
您在 Postman 中取得成功的原因是您使用了 2 个不同的端点。
在 Postman 中,您使用的是 v1 端点,https://login.microsoftonline.com/{tenant_id}/oauth2/token
在 PowerShell 中,您使用的是 v2 端点
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
v2好像把resource参数换成了scope
尝试用 scope = "https://management.azure.com/.default"
替换您的 resource 参数
我可以使用 Invoke-RestMethod
获得令牌
$params = @{
Uri = "https://login.microsoftonline.com/$($tenant_id)/oauth2/v2.0/token"
Method = "POST"
Body = @{
client_id = $client_id
client_secret = $client_secret
grant_type = "client_credentials"
scope = "https://management.azure.com/.default"
}
}
$connection = Invoke-RestMethod @params
我的 powershell 脚本中有以下逻辑试图获取 auth/bearer 令牌:
$token = curl --location --request POST 'https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token' `
--form 'grant_type=client_credentials' `
--form 'client_secret=$DEPLOYMENT_CLIENT_SECRET' `
--form 'client_id=$DEPLOYMENT_CLIENT_ID' `
--form 'resource=https://management.azure.com'
我看到的错误:
PS /workspaces/testproject> ./curltest.ps1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 981 100 419 100 562 1557 2089 --:--:-- --:--:-- --:--:-- 3646
===========
{"error":"invalid_request","error_description":"AADSTS901002: The 'resource' request parameter is not supported.\r\nTrace ID: 5b54cd7f-6b2d-40fc-9122-7b3c26a56600\r\nCorrelation ID: asdf-asdf-asdf-asdf-\r\nTimestamp: 2022-05-04 19:22:06Z","error_codes":[901002],"timestamp":"2022-05-04 19:22:06Z","trace_id":"asdf-asdf-asdf-","correlation_id":"asdf-asdf-asdf-asdf-asdf"}
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0^C
所以我删除了这样的资源:
$token = curl --location --request POST 'https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token' `
--form 'grant_type=client_credentials' `
--form 'client_secret=$DEPLOYMENT_CLIENT_SECRET' `
--form 'client_id=$DEPLOYMENT_CLIENT_ID'
#--form 'resource=https://management.azure.com'
但是我现在看到的错误是这样的:
PS /workspaces/testproject> ./curltest.ps1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1000 100 563 100 437 2025 1571 --:--:-- --:--:-- --:--:-- 3597
===========
{"error":"invalid_request","error_description":"AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request.\r\nTrace ID: asdf-asdf-asdf-asdf-asdf\r\nCorrelation ID: asdf-asdf-asdf-asdf-asdf\r\nTimestamp: 2022-05-04 19:23:11Z","error_codes":[90014],"timestamp":"2022-05-04 19:23:11Z","trace_id":"asdf-asdf-asdf-asdf","correlation_id":"asdf-asdf-asdf-asdf","error_uri":"https://login.microsoftonline.com/error?code=90014"}
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0^C
在 Postman 中,我可以这样做:
我可以添加/删除资源参数。无论哪种方式,我都会得到一个令牌。租户 ID、客户端 ID 和客户端密码都与 powershell 脚本中使用的相匹配。
如果我将使用 POSTMAN 生成的令牌插入脚本并使用它来 curl GET 调用我自己的 azure fn,它就可以工作。
我确定我缺少的是一些简单的东西。任何帮助将不胜感激
您在 Postman 中取得成功的原因是您使用了 2 个不同的端点。
在 Postman 中,您使用的是 v1 端点,https://login.microsoftonline.com/{tenant_id}/oauth2/token
在 PowerShell 中,您使用的是 v2 端点
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
v2好像把resource参数换成了scope
尝试用 scope = "https://management.azure.com/.default"
resource 参数
我可以使用 Invoke-RestMethod
$params = @{
Uri = "https://login.microsoftonline.com/$($tenant_id)/oauth2/v2.0/token"
Method = "POST"
Body = @{
client_id = $client_id
client_secret = $client_secret
grant_type = "client_credentials"
scope = "https://management.azure.com/.default"
}
}
$connection = Invoke-RestMethod @params