'AADSTS70000:传输数据解析器失败:授权代码格式错误或无效

时间:2017-09-27 19:31:51

标签: c# asp.net-core adal asp.net-core-2.0 msal

使用Microsoft帐户验证用户时遇到问题。我正在使用OpenId Connect身份验证,但是当我调用AcquireTokenByAuthorizationCodeAsync方法时,我收到以下消息。

  

抛出异常:System.Private.CoreLib.dll中的'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException':'AADSTS70000:传输数据解析器失败:授权代码格式错误或无效。

auth选项如下:

- date_value: "2017-01-01"
- date_value: "2017-01-02"
- date_value: "2017-01-03"
  * vacation_period.id: 15
  * vacation_period.name: "foobar"
- date_value: "2017-01-04"
  * vacation_period.id: 15
  * vacation_period.name: "foobar"
- date_value: "2017-01-05"
  * vacation_period.id: 15
  * vacation_period.name: "foobar"
- date_value: "2017-01-06"
- date_value: "2017-01-07"
...

这就是我的GetTokenByAuthorizationCodeAsync看起来像这样(我知道它不漂亮,只是试图让它工作):

services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

        }).AddOpenIdConnect(openIdOptions => 
        {
            openIdOptions.ResponseType = OpenIdConnectResponseType.CodeIdToken;
            openIdOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            openIdOptions.Authority = String.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}{1}", "common", "/v2.0");
            openIdOptions.ClientId = Configuration["MicrosoftAuth:ClientId"];
            openIdOptions.ClientSecret = Configuration["MicrosoftAuth:ClientSecret"];
            openIdOptions.SaveTokens = true;
            openIdOptions.TokenValidationParameters = new TokenValidationParameters{
                ValidateIssuer = false
            };
            var scopes = Configuration["MicrosoftAuth:Scopes"].Split(' ');
                foreach (string scope in scopes){
                    openIdOptions.Scope.Add(scope);
            }
            openIdOptions.Events = new OpenIdConnectEvents{
                OnAuthorizationCodeReceived = async (context) =>
                {   
                    var code = context.ProtocolMessage.Code;
                    var identifier = context.Principal.Claims.First(item => item.Type == ObjectIdentifierType).Value;
                    IMemoryCache memoryCache = context.HttpContext.RequestServices.GetRequiredService<IMemoryCache>();
                    var result = await GetTokenByAuthorizationCodeAsync(identifier, code, memoryCache);
                    context.HandleCodeRedemption(result.AccessToken, result.IdToken);
                },
            };
        });

我不知道可能导致错误的原因。如果我发送邮递员请求,我可以使用授权码,但我仍然无法在该请求中添加资源ID。

我已在Microsoft的应用程序注册门户(https://apps.dev.microsoft.com/)中注册了该应用程序。

1 个答案:

答案 0 :(得分:1)

您使用Microsoft.IdentityModel.Clients.ActiveDirectory库获取访问令牌。此库用于在Azure门户而非Azure AD v2.0端点上注册的Azure AD应用程序。

要获取Azure AD V2.0应用程序的令牌,我们可以使用MSAL库。以下是代码示例供您参考:

OnAuthorizationCodeReceived = async (context) =>
{
    var code = context.ProtocolMessage.Code;
    ConfidentialClientApplication cca =
        new ConfidentialClientApplication(Configuration["AzureAD:ClientId"], Configuration["AzureAd:PostLogoutRedirectUri"]+ "signin-oidc", new ClientCredential(Configuration["AzureAD:Secret"]), null, null);
    var result =await cca.AcquireTokenByAuthorizationCodeAsync(code,new string[]{"user.read"});
    context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
相关问题
最新问题