Active Directory是否不支持PKCE的授权码流?

时间:2020-03-06 09:53:04

标签: oauth-2.0 active-directory azure-active-directory pkce

我尝试将当前推荐的授权代码流与PKCE结合使用,以从Active Directory收集访问令牌。客户将是公共Angular SPA,这就是选择流程的原因。

收集openid配置表AD以及用户的授权码效果很好。 但是我无法从以下端点请求访问令牌:

https://login.microsoftonline.com/{tenantId}/oauth2/token.

我试图在Postman中重构请求:

POST /7e8c2868-7490-4dd7-82b7-f5ec29222d30/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=authorization_code
code=...
code_verifier=...
client_id=...
redirect_uri=...

...并最终显示以下消息:

{
  "error": "invalid_client",
  "error_description": "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: ed0413ad-89f1-4a2b-8d68-e23498701800\r\nCorrelation ID: deb53b0d-5398-4f72-a9a5-6c0863547b99\r\nTimestamp: 2020-03-06 09:30:36Z",
  "error_codes": [
    7000218
  ],
  "timestamp": "2020-03-06 09:30:36Z",
  "trace_id": "ed0413ad-89f1-4a2b-8d68-e23498701800",
  "correlation_id": "deb53b0d-5398-4f72-a9a5-6c0863547b99",
  "error_uri": "https://login.microsoftonline.com/error?code=7000218"
}

这似乎很奇怪,因为带有PKCE的身份验证流的正式规范不需要client_secret或client_assertion。只有默认的身份验证流程才需要。

AD实施是否存在问题或配置错误?

Web客户端的清单如下:

{
  "id": "...",
  "acceptMappedClaims": null,
  "accessTokenAcceptedVersion": null, 
  "addIns": [],
  "allowPublicClient": true,
  "appId": "...",
  "appRoles": [],
  "oauth2AllowUrlPathMatching": false,
  "createdDateTime": "...",
  "groupMembershipClaims": null,
  "identifierUris": [],
  "informationalUrls": {
    "termsOfService": null,
    "support": null,
    "privacy": null,
    "marketing": null
  },
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoUrl": null,
  "logoutUrl": null,
  "name": "...",
  "oauth2AllowIdTokenImplicitFlow": false,
  "oauth2AllowImplicitFlow": false,
  "oauth2Permissions": [],
  "oauth2RequirePostResponse": false,
  "optionalClaims": null,
  "orgRestrictions": [],
  "parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
  },
  "passwordCredentials": [],
  "preAuthorizedApplications": [],
  "publisherDomain": "...",
  "replyUrlsWithType": [
    {
        "url": "http://localhost:4200",
        "type": "Web"
    }
  ],
  "requiredResourceAccess": [
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "...",
                "type": "Scope"
            }
        ]
    }
  ],
  "samlMetadataUrl": null,
  "signInUrl": null,
  "signInAudience": "AzureADMyOrg",
  "tags": [],
  "tokenEncryptionKeyId": null
}

我的应用程序已在AD中注册为公共应用程序。

在此之前发送的身份验证请求如下所示:

GET /.../oauth2/authorize
  response_type=code
  &client_id=...
  &state=...
  &redirect_uri=http%3A%2F%2Flocalhost%3A4200
  &scope=openid%20user_impersonation%20offline_access
  &code_challenge=...
  &code_challenge_method=...
  &nonce=...

Host: login.microsoftonline.com

1 个答案:

答案 0 :(得分:4)

我刚刚在@azure/msal-browser包中找到了答案。目前,Azure AD似乎正在努力支持此身份验证流。要激活它,您必须为重定向网址设置新的类型,它们是最近添加的。

要将授权代码流与PKCE和Azure Active Directory结合使用,您需要:

  1. 设置将网络平台添加到您的azure广告应用程序中,并添加重定向网址。
  2. 将这些重定向网址的类型从“ Web”更改为“ Spa”。这必须在清单中完成。 更改它会使网址从“身份验证”页面中消失。但这没关系,因为它仍在清单中。
  3. 将Web应用视为公共客户端(“身份验证”>“高级设置”>“默认客户端类型-'是”)。

现在令牌端点不再需要client_secretclient_assertion

相关问题
最新问题