为什么通过刷新令牌获取Azure AD令牌没有签名算法?

时间:2018-12-11 18:32:00

标签: java azure azure-active-directory azure-ad-graph-api adal4j

当我通过授权代码(authContext.acquireTokenByAuthorizationCode获得令牌时,我得到了一个签名并具有适当标头的JWT(idToken):

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "wLLmYfsqdQuWtV_-hnVtDJJZM3Q",
  "kid": "wLLmYfsqdQuWtV_-hnVtDJJZM3Q"
}

但是当我使用刷新令牌获取新令牌(authContext.acquireTokenByRefreshToken(...))时,它将返回未签名的JWT:

{
  "typ": "JWT",
  "alg": "none"
}

如何获得签名的JWT?

return authContext.acquireTokenByRefreshToken( refreshToken, new ClientCredentials( clientId, clientSecret ), null );

1 个答案:

答案 0 :(得分:1)

我没有站在你这边转载你的问题。我遵循此tutorial来获取Authentication code并成功获得带有以下代码的access tokenrefresh token。请参考。

import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import com.microsoft.aad.adal4j.ClientCredential;

import java.net.URI;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;

public class GetTokenByAuthenticationCode {

    private static final String APP_ID = "***";
    private static final String APP_SECRET = "***";
    private static final String REDIRECT_URI = "http://localhost:8080";
    private static final String tenant = "***";

    public static void main(String[] args) throws Exception {

        String authority = "https://login.microsoftonline.com/" + tenant + "/oauth2/authorize";
        ExecutorService service = Executors.newFixedThreadPool(1);

        String code = "***";

        AuthenticationContext context = new AuthenticationContext(authority, true, service);

        URI url = new URI(REDIRECT_URI);

        Future<AuthenticationResult> result = context.acquireTokenByAuthorizationCode(
                code,
                url,
                new ClientCredential(APP_ID, APP_SECRET),
                null
        );
        String token = result.get().getAccessToken();
        System.out.println(token);
        String refreshToken = result.get().getRefreshToken();
        System.out.println(refreshToken);


        Future<AuthenticationResult> result1 = context.acquireTokenByRefreshToken(
                refreshToken,
                new ClientCredential(APP_ID, APP_SECRET),
                null
        );

        String tokenNew = result1.get().getAccessToken();
        String refreshTokenNew = result1.get().getRefreshToken();
        System.out.println(tokenNew);
        System.out.println(refreshTokenNew);
    }
}

解码:

enter image description here

更新答案:

首先,对这个错误感到抱歉。我用getIdToken替换了getAccessToken,结果与您相同。然后我在Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow中搜索了响应参数,您可以找到id_token参数的语句。

  

代表ID令牌的无符号JSON Web令牌(JWT)。该应用程序可以   base64Url对该令牌的段进行解码以请求信息   有关登录用户的信息。应用程序可以缓存值并显示   它们,但它不应依赖它们进行任何授权或安全   边界。

因此,id令牌只是一个不能依赖的段。如果要获取完整的id令牌,请参阅openId flow

相关问题
最新问题