JWT CSOM / REST Azure Active Directory

时间:2017-07-27 15:14:32

标签: rest authentication azure-active-directory csom bearer-token

我们一直在尝试使用带有令牌的CSOM / REST身份验证承载头请求向sharepoint发出请求。它与以下问题有关:

C# CSOM Sharepoint Bearer request from azure active directory

只有一个链接/示例适用于所有其他链接/示例,包括Android ADAL方法不起作用。

https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/

它们似乎没有返回一个令牌,当我们在JWT解析器中查看令牌时,我们可以看到 scp 值不同,失败的值有 user_impersonate ,但工作人员有 AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write aud 网址也不同,是这些问题中的一个或两个,我如何让它运作?

这是失败的:

{
  "aud": "https://srmukdev.onmicrosoft.com/3Squared-Api-Test",
  "iss": "...",
  "iat": ...,
  "nbf": ...,
  "exp": ..,
  "acr": "...",
  "aio": "...",
  "amr": [
    "pwd",
    "mfa"
  ],
  "appid": "...",
  "appidacr": "0",
  "e_exp": ...,
  "family_name": "...",
  "given_name": "...",
  "ipaddr": "...",
  "name": "...",
  "oid": "...",
  "onprem_sid": "...",
  "platf": "3",
  "scp": "user_impersonation",
  "sub": "...",
  "tid": "...",
  "unique_name": "...",
  "upn": "...",
  "ver": "1.0"
}

这是有效的:

{
  "aud": "https://srmukdev.sharepoint.com/",
  "iss": "...",
  "iat": ...,
  "nbf": ...,
  "exp": ...,
  "acr": "...",
  "aio": "...",
  "amr": [
    "pwd",
    "mfa"
  ],
  "app_displayname": "...",
  "appid": "...",
  "appidacr": "0",
  "e_exp": ...,
  "family_name": "...",
  "given_name": "...",
  "ipaddr": "...",
  "name": "...",
  "oid": "...",
  "onprem_sid": "...",
  "platf": "3",
  "puid": "...",
  "scp": "AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write",
  "sub": "...",
  "tid": "...",
  "unique_name": "...",
  "upn": "...",
  "ver": "1.0"
}

1 个答案:

答案 0 :(得分:1)

访问令牌通过检查其aud声明来获取特定资源。第一个令牌用于自定义资源的身份验证。

要获取特定资源的令牌,我们可以使用参数resource来指定我们要为令牌请求的资源。例如,如果我想获取Microsoft Graph资源的令牌,我们可以构建如下所示的请求:

POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd

如果您想获取https://srmukdev.sharepoint.com/的访问令牌,则需要根据您使用的流程在请求中为resource参数赋值https://srmukdev.sharepoint.com/

有关Azure AD支持获取访问令牌的流程的更多详细信息,请参阅以下链接:

Azure Active Directory Authentication Protocols

相关问题
最新问题