Question

我正在建立一个需要访问我们客户的应用程序＆＃39; Office 365 Management Activities。我已按照this Azure Active Directory概述中列出的步骤操作，并且能够使用OAuth代码获取初始访问令牌，并使用此令牌设置O365订阅。

但是，当我使用初始令牌提供的refresh_token获取新的访问令牌时，我收到以下错误：

{＆＃34; error_description＆＃34;：＆＃34; AADSTS65001：用户或管理员未同意使用ID为＆＃;; 8f72f805-dfd2-428d-8b0e-771a98d26c16＆＃39;的应用程序。发送此用户和资源的交互式授权请求。\ r \ nTrace ID：df229c3f-8f28-420b-9ac3-321ab1b2ad09 \ r \ n相关ID：0e0f2bcb-4b19-458a-8556-2a6d4e51379f \ r \ n时间戳：2016-10- 03 17:33:20Z＆＃34;，＆＃34;错误＆＃34;：＆＃34; invalid_grant＆＃34;}

由于我能够获取并使用初始访问令牌，因此我非常确定用户正在授予我的应用某些权限。为了使用刷新令牌获取新的访问令牌，是否需要特定权限？

修改具体来说，我使用com.microsoft.azure::adal4j java package，AuthenticationContext类，acquireTokenByAuthorizationCode和acquireTokenByRefreshToken方法：

public class AzureProvisioner {
    private final AuthenticationContext authService = new AuthenticationContext(
            "https://login.windows.net/common/oauth2/token", true, Executors.newSingleThreadExecutor());
    private final ClientCredential clientCredential = new ClientCredential("azureAppId", "azureAppSecret");
    public static final String resource = "https://manage.office.com";
    // Internal implementation of REST interface; Microsoft didn't provide a Java Library
    final Office365ManagementApi managementApi;

    public void acquireToken(final String authCode, final URI redirectUri) {
        final AuthenticationResult authResult = authService.acquireTokenByAuthorizationCode(
                authCode, redirectUri, clientCredential, resource, null).get()
        // internal library code, gets the "tid" field from parsing the JWT token
        final String tenantId = JwtAccessToken.fromToken(authResult.getAccessToken()).getTid();

        // works
        createInitialSubscription(customerId, authResult.getAccessToken(), tenantId);

        // throws an error
        final AuthenticationResult refreshResult = authService.acquireTokenByRefreshToken(
                authResult.getRefreshToken(), clientCredential, null).get();
    }

    private void createInitialSubscription(final String accessToken, final String tenantId) {
        final String authHeader = "Authorization: Bearer " + accessToken;
        final String contentType = "Audit.AzureActiveDirectory";
        // internal implementation
        final CreateWebhookRequest requestBody = new CreateWebhookRequest();
        managementApi.createSubscription(authHeader, tenantId, contentType, requestBody);
    }
}

相同的代码，没有任何外部依赖关系，对我来说也不起作用：

public class AzureProvisioner {
    private final AuthenticationContext authService = new AuthenticationContext(
            "https://login.windows.net/common/oauth2/token", true, Executors.newSingleThreadExecutor());
    private final ClientCredential clientCredential = new ClientCredential("8f72f805-dfd2-428d-8b0e-771a98d26c16", "secret");
    public final String resource = "https://manage.office.com";
    private URI redirectUri = new URI("https://localhost");

    private static final String oAuthUrl = "https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=8f72f805-dfd2-428d-8b0e-771a98d26c16&resource=https%3A%2F%2Fmanage.office.com&redirect_uri=https%3A%2F%2Flocalhost";

    public AzureProvisioner() throws Exception {
        // do nothing
    }

    public static void main(String... args) throws Exception {
        final String authCode = "AQABAAAAAADRNYRQ3dhRSrm...";
        new AzureProvisioner().acquireToken(authCode);
    }

    public void acquireToken(final String authCode) throws Exception {
        final AuthenticationResult authResult = authService.acquireTokenByAuthorizationCode(
                authCode, redirectUri, clientCredential, resource, null).get();
        System.out.println(authResult.getAccessToken());

        // throws an error
        final AuthenticationResult refreshResult = authService.acquireTokenByRefreshToken(
                authResult.getRefreshToken(), clientCredential, resource, null).get();
        System.out.println(refreshResult.getAccessToken());
    }
}

使用代理，我记录了https刷新请求：

Method: POST
Protocol-Version: HTTP/1.1
Protocol: https
Host: login.windows.net
File: /common/oauth2/token
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 876

refresh_token={token}
&resource=https%3A%2F%2Fmanage.office.com
&grant_type=refresh_token
&scope=openid
&client_secret={secret}
&client_id=8f72f805-dfd2-428d-8b0e-771a98d26c16

Answer 1

事实证明，根问题在于我的应用程序权限。在My Application > Settings > Required Permissions > Office 365 Management APIs下，我选择了“应用程序权限”，我需要选择“委托权限”。交换它们后，我的代码立即开始按预期工作。

Answer 2

ADAL自动且透明地使用存储的刷新令牌，您不需要执行任何显式操作。由于遗留原因，AcquireTOkenByRefreshToken位于ADAL表面，已从版本3.x中删除。 http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/

的更多背景信息

Azure：无法使用RefreshToken获取新的AccessToken

2 个答案: