问题
I have created a Azure AD Mobile and desktop applications. Now I am getting my access_token using following API,
POST https://login.microsoftonline.com/{Directory (tenant) ID }/oauth2/token password:pass client_id:id resource:https://graph.microsoft.com grant_type:password client_secret:secret username:userName scope: openid
The response looks like, "access_token": "acessToken", "refresh_token": "refereshToken", "id_token": "id_token".
Now I am passing the access_token to a third party application which is configured with same Azure AD client. When that third party application tries to validate the signature, the operation fails. Then got to know its because of nonce which is available for only microsoft graph APIs. Now how to remove the same or make my access_token signature verification compliant?
回答1:
You need to create another Azure AD application that represents the web api, and then use your client application to call the web api application.
First, you need to expose the api of the application representing the web api, you can configure it according to the following process:
Azure portal>App registrations>Expose an API>Add a scope>Add a client application
Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions)
This is the process of defining the manifest.
This is to grant permissions for the client application:
Finally, you can request a token for your api application (note that the resource parameter is no longer the Microsoft Graph API, it is the client ID of your API application and your custom role permissions in the manifest).
Update:
For application permissions only, ROPC flow is generally not recommended. It is recommended that you use the client credential flow based on the v2.0 endpoint. When using v2.0 endpoints, resources will no longer be used as parameters, but scope will be used as parameters, but their functions are the same. (Please note that the scope parameter is like this:api://a13b414b-93b3-4aae-bb-xxxxxxxxx/.default).
Parse the token and you will see the customized app Roles.
来源:https://stackoverflow.com/questions/63410297/how-to-make-azure-ad-access-token-compliant-for-its-signature-validation-outside