Question

我试图验证通过access_token

获得的https://login.microsoftonline.com?.....

通过jwt.io我获得了令牌的以下信息。为了便于阅读，还有更多字段需要修剪。

{
  "typ": "JWT",
  "nonce": "AQABAAAAAAABlDrqfEFlSaui6xnRjX5El98dcaIDjRFfcLuFQZHkvlov2vdQMGa2qBl89-QA9pk7rk_aCmNK7VsSkAXd7HYiDoTNICVJx4rIk7iAA",
  "alg": "RS256",
  "x5t": "HHdKU-0Dqh6ZFPd2VWaOtg",
  "kid": "HHDKU-0DqAqMZh6Pd2VWaOtg"
}
{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/de34d790-e752-305f-93f8-e3d31df3279c2/"
}

我发现https://graph.microsoft.com/v1.0/me有人通过了他的Bearer Token并获得了成功结果，但是在我的测试中我总是得到这个错误：

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "message": "CompactToken parsing failed with error code: -2147184105",
        "innerError": {
            "request-id": "bd08cbc6-b870-420a-bd9e-d70a92a9f27d",
            "date": "2017-09-20T11:59:05"
        }
    }
}

Answer 1

这里很难从截断的数据中判断出来，但您似乎没有要求任何范围。如果没有user.read这样的范围，您就无权拨打/me。

你是令牌的有效载荷应该看起来像：

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/b9913ffa-837d-40b3-98c3-9aca40b827a1/",
  "iat": 1505934558,
  "nbf": 1505934558,
  "exp": 1505938458,
  "aio": "...",
  "app_displayname": "...",
  "appid": "...",
  "appidacr": "1",
  "idp": "...",
  "oid": "...",
  "roles": [
    "User.Read",
    "Mail.Read"
  ],
  "sub": "...",
  "tid": "...",
  "uti": "...",
  "ver": "1.0"
}

从graph.microsoft.com验证access_token

1 个答案: