我正在使用adal node js library 1.22,并尝试使用用户名和密码对用户进行身份验证。我得到的是“无法获得本地发行人证书”#34;错误。用户是联合的,并且在域发现时发生错误。
var context = new AuthenticationContext(authorityUrl);
context.acquireTokenWithUsernamePassword(resource, sampleParameters.username, sampleParameters.password, sampleParameters.clientId, function(err, tokenResponse) {
if (err) {
console.log('well that didn\'t work: ' + err.stack);
} else {
console.log(tokenResponse);
}
});
错误堆栈:
Stack:
Error: unable to get local issuer certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38)
{ Error: unable to get local issuer certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' }
Wed, 14 Jun 2017 08:44:17 GMT:079c7b70-6ae1-461c-b433-cc3fe0c22783 - TokenRequest: VERBOSE: getTokenFunc returned with err
well that didn't work: Error: unable to get local issuer certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38)
您能否告知我遗失的证书以及在哪里找到它。
修改
在挖掘完代码后,我发现注释掉了全局agent.ca部分代码解决了这个问题,并且该库之后能够执行几个步骤,但是从ADFS返回令牌响应时遇到了问题。日志:
Wed, 14 Jun 2017 10:39:39 GMT:425e3117-a495-4f8e-8a12-e7e64dd0e37b - OAuth2Client: INFO: Get TokenServer returned this correlationId: 425e3117-a495-4f8e-8a12-e7e64dd0e37b
Wed, 14 Jun 2017 10:39:39 GMT:425e3117-a495-4f8e-8a12-e7e64dd0e37b - OAuth2Client: ERROR: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\r\nTrace ID: aadf1560-18ec-46f9-83b6-5932c2131200\r\nCorrelation ID: 425e3117-a495-4f8e-8a12-e7e64dd0e37b\r\nTimestamp: 2017-06-14 10:39:41Z","error_codes":[70002],"timestamp":"2017-06-14 10:39:41Z","trace_id":"aadf1560-18ec-46f9-83b6-5932c2131200","correlation_id":"425e3117-a495-4f8e-8a12-e7e64dd0e37b"}
有没有忘记的配置,
if (!parametersFile) {
sampleParameters = {
tenant : 'tenant.onmicrosoft.com',
authorityHostUrl : 'https://login.microsoftonline.com',
clientId : 'aa461028-1fgf-46e5-ab9b-5adca324febc',
username : 'user@domain.net',
password : 'lamepassword'
};
}
var authorityUrl = sampleParameters.authorityHostUrl + '/' + sampleParameters.tenant;
var resource = '00000002-0000-0000-c000-000000000000';
答案 0 :(得分:1)
强烈建议不要使用资源所有者流,在某些情况下,例如联合用户或需要MFA的用户,将无效。此流程是您的应用程序处理用户的流程。 ; s用户名和密码直接将请求中的那些发送给身份提供者。如果作为身份验证的一部分需要任何额外的交互,例如需要第二个因素或处理联合,这种方法将无法工作。出于这些原因和简单的安全原则(不再需要应用程序来处理用户名和密码),最好避免这种情况。
由于您正在与联合用户打交道,资源所有者不会为您工作,为您留下两个首选备选方案:
有关在这两个选项之间进行选择的详情,请参阅"Web Application to Web API" scenario in the "Azure AD Authentication Scenarios" documentation。