发表新帖
发表新帖

Stuck between two errors in an Azure OAuth2 token request

后端 未结
关注
3 784
不知归路
不知归路 2021-01-04 18:25

I am implementing an OAuth2 provider for OWIN and Azure Active Director. FWIW, at this time the OpenId Connect option doesn\'t fit the requirements for this work.

I

相关标签:
3条回答
  • 暗喜
    2021-01-04 19:07

    Using the "openid" scope in the authorization request should trigger an OpenID Connect flow that would return an id_token and does not require a resource.

    0 讨论(0)
  • 梦谈多话
    2021-01-04 19:13

    I had the same problem, i just wanted to implement a user-login.

    After trying 1000 things (with this post amongst others) i found out that i can use the Microsoft.Azure.ActiveDirectory-id as resource paramter. On this way i don't have to create an second app.

    http://blogs.msdn.com/b/besidethepoint/archive/2012/10/23/getting-started-with-azure-active-directory.aspx

    nameValuePairs.add(new BasicNameValuePair("resource", "00000002-0000-0000-c000-000000000000"));

    and got the token

    UPDATE:

    the azure support suggested me to use https://graph.windows.net/ :

    nameValuePairs.add(new BasicNameValuePair("resource", "https://graph.windows.net/"));
    0 讨论(0)
  • 生来不讨喜
    2021-01-04 19:24

    OAuth deals with 4 parties: 1) resource owner aka user 2) resource app: usually a Web API that protects access to resources owner by the user 3) client app: a web app or mobile app or even another Web API that wants to access the resource on-behalf of the user 4) the authority: the secure token service that authenticates the user and/or the client app and issues a delegated access token to the client to access the resource.

    Your code is using the same identifier for the client app as well as the resource - essentially it is trying to request for an access token to access itself. It can be argued that this scenario should be allowed - but it isn't today by Azure AD.

    Please do the following: register a resource application in Azure AD. In its manifest add a new an appPermission (follow this post). Then, go to the client application configuration page and scroll to the bottom - in the 'Permissions to other applications' section, add the resource permission to the client applications list of "delegated permissions".

    Now, use the resource application's AppIDURI or ClientID in your OAuth request and stuff should work.

    Hope this helps.

    0 讨论(0)
 看不清?
提交回复
热议问题