Azure UCWA身份验证中的Skype for Business - 不接受颁发的令牌

时间:2018-02-09 16:43:00

标签: azure oauth skype-for-business ucwa

我正在使用UCWA在Java中将Java应用程序与Skype for Business集成,这是我执行的操作列表。当看起来一切都在工作和覆盖时,我陷入了意想不到的地方。可能解决方案是微不足道的,比如添加一个额外的权限,但我找不到它。此外,我相信这篇文章将帮助那些陷入困境的人。

  1. 在Azure门户中注册应用程序:   注册为Native应用程序   为所有Skype for Business在线权限添加所需权限   授予所有用户权限   获取应用ID(稍后将使用它作为客户端ID)

  2. HTTP Get,btw :(租户)应替换为实际的租户名称 请求:

    curl -X GET \ http://lyncdiscover.(tenant).onmicrosoft.com/ \ -H 'cache-control: no-cache' \ -H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \ -H 'postman-token: b45b8fee-852f-4678-3631-3a06727d99fc' \ -F Capture=undefined

  3. 响应:

    `{
        "_links": {
            "self": {
                "href": "https://webdir0a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com"
            },
            "xframe": {
                "href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/xframe"
            },
            "redirect": {
                "href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com"
            }
        }
    }`
    
    1. HTTP获取重定向网址

      curl -X GET \ 'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com' \ -H 'cache-control: no-cache' \ -H 'postman-token: 273cad2b-a9a9-9882-8634-b52f9a9976b5'

      { "_links": { "self": { "href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=(tenant).onmicrosoft.com" }, "user": { "href": "https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com" }, "xframe": { "href": "https://webdir3a.online.lync.com/Autodiscover/XFrame/XFrame.html" } } }

    2. 获取用户网址

      curl -X GET \ 'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com' \ -H 'cache-control: no-cache' \ -H 'postman-token: af9ab0bd-dc6f-b2f3-e7d9-23941aac5537'

    3. 回复:401未经授权 读取响应http标头和提取

      `authorization_uri="https://login.windows.net/common/oauth2/authorize"`
      
      1. 发布到授权网址: 来自azure门户网站应用注册的客户端+ id = app id resource = 00000004-0000-0ff1-ce00-000000000000(SfB资源ID)

        curl -X POST \ https://login.windows.net/common/oauth2/token \ -H 'cache-control: no-cache' \ -H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \ -H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \ -d 'resource=00000004-0000-0ff1-ce00-000000000000&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid'

      2. 响应:

        `{
            "token_type": "Bearer",
            "scope": "Contacts.ReadWrite Conversations.Initiate Conversations.Receive Meetings.ReadWrite User.ReadWrite",
            "expires_in": "3599",
            "ext_expires_in": "0",
            "expires_on": "1518196708",
            "not_before": "1518192808",
            "resource": "00000004-0000-0ff1-ce00-000000000000",
            "access_token": "eyJ0...",
            "refresh_token": "AQABA...",
            "id_token": "eyJ0e..."
        }`
        

        是的,我得到了真正的令牌,一切似乎都很好,但事实并非如此。当我使用此令牌再次获取用户URL时,响应现在是403禁止而且我被卡住了。

        `curl -X GET \
          'https://webdir3a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=(tenant).onmicrosoft.com' \
          -H 'authorization: Bearer eyJ0eXA...' \
          -H 'cache-control: no-cache' \
          -H 'postman-token: ff0a80bd-5025-5b28-3f1c-cf9205890812'`
        

        回复:403禁止

        `    <body>
                <div id="header">
                    <h1>Server Error</h1>
                </div>
                <div id="content">
                    <div class="content-container">
                        <fieldset>
                            <h2>403 - Forbidden: Access is denied.</h2>
                            <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
                        </fieldset>
                    </div>
                </div>
            </body>`
        

1 个答案:

答案 0 :(得分:1)

错误在步骤#4,参数资源。正确的请求使用用户服务器URL作为资源参数:

curl -X POST \
  https://login.windows.net/common/oauth2/token \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
  -H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \
  -d 'resource=https://webdir3a.online.lync.com&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid

然后使用收到的令牌从用户url获取应用程序URL。 检索到应用程序URL后,必须发布新的令牌请求以获取应用程序服务器的令牌,在我的情况下是:

curl -X POST \
  https://login.windows.net/common/oauth2/token \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \
  -H 'postman-token: 39902b3f-00c3-e7a8-75d0-6b94f10e07ed' \
  -d 'resource=https://webpoolsn23a14.infra.lync.com&client_id=XXXX-XXXX-XXXX&grant_type=password&username=actualUserName@tenant.com&password=actual_password&scope=openid

此令牌最终可用于创建应用程序和其他消息传递服务。