如果这是一个错误,我已经创建了issue on github。
问题
我尝试使用Azure AD与MSAL登录ASP.Net Core 2 Web App。
当我致电AcquireTokenByAuthorizationCodeAsync时,收到错误消息。
MsalServiceException: AADSTS90023: Public clients can't send a client secret.。
编码的例子并不多,正是我正在做的事情,但是what does exist显示ClientSecret被传递给ConfidentialClientApplication作为{{3} }}
它引起了双重困惑,因为错误消息指的是ClientCredential,这不是我正在使用的,我使用的是PublicClientApplication。
CODE
这是发生错误的完整方法:
public void Configure(string name, OpenIdConnectOptions options)
{
options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}";
options.CallbackPath = azureADOptions.CallbackPath;
options.ClientId = azureADOptions.ClientId;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.UseTokenLifetime = true;
options.Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = async context =>
{
var clientID = options.ClientId;
var authority = options.Authority;
var redirectUri = this.azureADOptions.RedirectUri;
var clientCredentials = new ClientCredential(azureADOptions.ClientSecret);
var tokenCache = AzureADUtils.GetTokenCache(context.HttpContext, context.Principal);
var clientApp = new ConfidentialClientApplication(clientID, authority, redirectUri, clientCredentials, tokenCache, null);
try
{
var code = context.ProtocolMessage.Code;
var scopes = new[]
{
AzureADScopes.User.ReadBasicAll,
AzureADScopes.Group.ReadAll
};
//AJ: This line is where the exception is thrown.
var result = await clientApp.AcquireTokenByAuthorizationCodeAsync(code, scopes);
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception)
{
throw;
}
}
};
}
错误消息似乎来自服务器端,而不是生成客户端,这使得它为什么会对*ClientApplication类的类型感到困惑更有意义。我正在使用。
请求&响应
这是我发送的请求:
POST https://login.microsoftonline.com/[REMOVED]/oauth2/v2.0/token HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Cookie: x-ms-gateway-slice=006; stsservicecookie=ests; esctx=[REMOVED]
x-client-SKU: MSAL.CoreCLR
x-client-Ver: 1.1.0.0
x-client-OS: Microsoft Windows 10.0.15063
client-request-id: [REMOVED]
return-client-request-id: true
x-ms-request-root-id: [REMOVED]
x-ms-request-id: [REMOVED]
Request-Id: [REMOVED]
Content-Length: 981
Host: login.microsoftonline.com
client_id=[REMOVED]
&client_info=1
&client_secret=[REMOVED]
&scope=Group.Read.All+offline_access+openid+profile+User.ReadBasic.All
&grant_type=authorization_code
&code=[REMOVED]
&redirect_uri=https%3A%2F%2Flocalhost%3A44365%2Fsignin-oidc
我回复的回复:
{
"error": "invalid_request",
"error_description": "AADSTS90023: Public clients can't send a client secret.\r\nTrace ID: [REMOVED]\r\nCorrelation ID: [REMOVED]\r\nTimestamp: 2017-09-18 16:12:51Z",
"error_codes": [90023],
"timestamp": "2017-09-18 16:12:51Z",
"trace_id": "[REMOVED]",
"correlation_id": "[REMOVED]"
}
这与ConfidentialClientApplication中标题"步骤2 - 获取访问令牌"中的描述非常接近。
APP注册
我创造了一个" Converged"应用程序注册,应该使用Azure AD v2应用程序模型。
它有一个应用程序密钥,一个密码,用作客户端密钥。
它有一个平台,Web,启用了允许隐式流,一个重定向URL集,没有注销URL。
答案 0 :(得分:0)