使用JWT获取Microsoft API令牌

时间:2017-11-21 14:12:10

标签: office365 azure-active-directory

阅读this doc,您必须使用Application Registration Portal注册您的申请 此外,根据this doc,您需要应用程序ID URI 来指定范围参数,并为aud参数指定 tenant_id 以便generate the JWT。<登记/> 问题是:我在哪里可以找到这些信息?

我尝试使用这些没有成功:

scope : api://0adaa814-c4d4-4c09-ae8e-dd0535e9e931/.default
aud : https://login.microsoftonline.com/mldijon.onmicrosoft.com/v2.0/oauth2/token

有关此处的更多信息,我在尝试获取令牌时遇到错误:

  

AADSTS50059:没有找到任何租户识别信息   任何提供的证书请求或暗示。

这里是我发出的POST请求:

POST /common/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Postman-Token: 888bf937-31b4-166b-4d8d-339cd05e21ea

client_id=256e411c-bf42-4634-abaa-a7feafe6698a&scope=api%3A%2F%2F256e411c-bf42-4634-abaa-a7feafe6698a%2F.default&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJ4NXQiOiJKemdVM09ycWlqZVBFVjRGMlZLd3NFYW0rekk9IiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiIyNTZlNDExYy1iZjQyLTQ2MzQtYWJhYS1hN2ZlYWZlNjY5OGEiLCJhdWQiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvbWxkaWpvbi5vbm1pY3Jvc29mdC5jb21cL29hdXRoMlwvdG9rZW4iLCJzdWIiOiIyNTZlNDExYy1iZjQyLTQ2MzQtYWJhYS1hN2ZlYWZlNjY5OGEiLCJleHAiOjE1MTEyNzI0MjYsImlhdCI6MTUxMTI2ODgyNiwibmJmIjoxNTExMjY4ODI2fQ.ZurlKZQ34FNPYLrAujzN6QOkZ9iufJMwVpkMU_gk53UOQqNk-Y_pFOf-OwwGRg9wCnfU46xZt2TiGj_3zLhHxsawg6VeI-tbt62onBiBfJCtTUXpedK23PLS0td7ss2oU7yziRmHDrGe3ZPmpMChnom2iLUNoZiZeAWgzdV47HGid7IJ8Je0fOglsvGvKLjRqC6Y5jJ2kaY6KDd8dhN4UgJjM-HoeGKYtNQ5dz9C8lPDD9_stejfkzDUtvCrFyOY9Cn5TmqZe-LxFW4i7imvriIQHRK1F30j7iWLDoB3aI9WN5Y0dTBl8_8bq83HE9fK5hWFmibt1zY4pclSGm8UNg&grant_type=client_credentials

1 个答案:

答案 0 :(得分:1)

您应该按照此处的说明获取Microsoft Graph的访问令牌。

https://developer.microsoft.com/en-us/graph/docs/concepts/auth_overview 

// Line breaks for legibility only

POST /common/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20mail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps

请注意以下几点:

  • 未指定时,aud值隐含为https://graph.microsoft.com
  • scope值是Microsoft Graph定义的permissions中的一个或多个。

现在上面的代码专门用于用户登录。有一节关于在没有用户的情况下获取访问令牌:Get access without a user

这遵循以下模式:

// Line breaks are for legibility only.

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials

请注意,令牌网址中包含{tenant}而不是common。这是因为当您获得没有用户的令牌时,您必须指定您尝试访问的租户端点。在用户在场的情况下,我们尝试自动发现租户端点,这是公共端点所做的。

如果这可以解决您的问题,请告诉我。

相关问题
最新问题