Azure AD-缺少角色的仅应用令牌中的声明

Question

当我尝试按照here所述从nodejs后端服务器获取仅应用令牌时，有时roles声明中的令牌丢失，这导致Authorization_IdentityNotFound或Authorization_RequestDenied错误

我创建了一个仅获取应用程序令牌的函数，该函数将调用/token端点，直到在所检索的令牌中有roles个声明为止。

功能如下：

async getApplicationTokenByTenant(
tenantId: string
): Promise<any> {
// post param
const params = {
    client_id: process.env.APP_ID,
    client_secret: process.env.APP_SECRET,
    grant_type: "client_credentials",
    scope: "https://graph.microsoft.com/.default"
};

let expectedRes = null;
let retryCount = 0;
// try to get token for max 4 times
while (!expectedRes && retryCount < 4) {
    console.log(`Try:${retryCount + 1}`);
    // call api
    const res = await fetch(
    `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
    {
        method: "POST",
        body: form(params),
        headers: {
        Accept: "application/json",
        "Content-Type":
            "application/x-www-form-urlencoded"
        }
    }
    );

    if (res.status !== 200) {
    const exception = await res.json();
    throw exception;
    }

    const response = await res.json();

    // Decode token
    const decodedToken = jws.decode(
    response.access_token
    ) as any;
    console.log("decodedToken");
    console.log(decodedToken);

    // check if "roles" exist in token
    if (!decodedToken.roles) {
    // if not wait for 3 seconds before retry
    await asyncWait(3000);
    retryCount++;
    } else {
    // got token having roles claim
    expectedRes = response;
    }
}
if (!expectedRes) {
    // did not get expected response after max retry
    throw new Error("Unable to get app token with roles");
}
return expectedRes;
}

这是响应：

尝试：1

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "iat": 1544945058,
  "nbf": 1544945058,
  "exp": 1544948958,
  "aio": "42RgYAhLEHI9n/8xtk896Mfyc2cWAwA=",
  "app_displayname": "Dev Bot",
  "appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
  "appidacr": "1",
  "idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
  "uti": "qrPy3iOYp0emoAWhGI6oAA",
  "ver": "1.0",
  "xms_tcdt": 1540903121
}

尝试：2

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "iat": 1544945062,
  "nbf": 1544945062,
  "exp": 1544948962,
  "aio": "42RgYGBJfLUkMmfnZgFrhl8lThs0AQ==",
  "app_displayname": "Dev Bot",
  "appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
  "appidacr": "1",
  "idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
  "uti": "cGcY4Mdbyk6BkZlOjVSfAA",
  "ver": "1.0",
  "xms_tcdt": 1540903121
}

尝试：3

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "iat": 1544945070,
  "nbf": 1544945070,
  "exp": 1544948970,
  "aio": "42RgYFgQlXKE/SWHGP+115sO7D/yAwA=",
  "app_displayname": "Dev Bot",
  "appid": "axxxxxxx-1xxx-4xxx-8bc6-bxxxxxxxxxxx",
  "appidacr": "1",
  "idp": "https://sts.windows.net/8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx/",
  "oid": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "roles": [
    "Mail.ReadWrite",
    "Group.ReadWrite.All",
    "Files.ReadWrite.All",
    "Directory.Read.All",
    "Mail.Read"
  ],
  "sub": "7xxxxxxx-6xxxx-4xxxx-a94f-cxxxxxxxxxxx",
  "tid": "8xxxxxxx-6xxx-4xxx-8xxx-exxxxxxxxxxx",
  "uti": "CMiI-hcLlUCpqO6z70ukAA",
  "ver": "1.0",
  "xms_tcdt": 1540903121
}

如回应所示，我在第三次尝试时得到了预期的令牌（具有角色声明）。为何在第一次尝试时不起作用？

Answer 1

在我这边，我尝试了门户中的管理员同意和要求管理员同意的url请求，然后立即获得了仅应用令牌，令牌中包含了角色。据我所知，更新权限可能需要一些时间。