我正在使用“ PHP League oauth2-client”来获取特定用户的详细信息。
但是出现错误:
Array
(
[error] => Array
(
[code] => InvalidAuthenticationToken
[message] => Access token validation failure. Invalid audience.
[innerError] => Array
(
[request-id] => <reuest-id>
[date] => 2019-06-13T07:44:01
)
)
)
我已经传递了clientId,clientSecret,redirectUri,urlAuthorize,urlAccessToken,urlResourceOwnerDetails并获得了AuthorizationUrl。当我点击authorizationUrl时,它将正确地使用code,state,session_state重定向。 我只是使用此代码,并获得了accesstoken数组。 使用accesstoken array,我调用'https://graph.microsoft.com/v1.0/me/'api来获取用户详细信息。但是出现错误,即访问令牌验证失败。无效的观众。
实际上,我正在尝试通过Microsoft登录
$provider = new \League\OAuth2\Client\Provider\GenericProvider([
'clientId' => '<cid>', // The client ID assigned to you by the provider
'clientSecret' => '<clientSecret>', // The client password assigned to you by the provider
'redirectUri' => 'https://mywebsideurl',
'urlAuthorize' => 'https://login.microsoftonline.com/<tenant_id>/oauth2/authorize',
'urlAccessToken' => 'https://login.microsoftonline.com/<tenant_id>/oauth2/token',
'urlResourceOwnerDetails' => 'https://graph.microsoft.com/v1.0/users/<my-microsoft-mail-id>',
]);
$accessToken = $provider->getAccessToken('authorization_code', [
'code' => '<code>'
]);
$request = $provider->getAuthenticatedRequest(
'GET',
'https://graph.microsoft.com/v1.0/me/',
$accessToken
);
错误:
Array
(
[error] => Array
(
[code] => InvalidAuthenticationToken
[message] => Access token validation failure. Invalid audience.
[innerError] => Array
(
[request-id] => <some id>
[date] => 2019-06-12T07:36:49
)
)
)
我有解析服务器的响应:
GuzzleHttp\Psr7\Response Object
(
[reasonPhrase:GuzzleHttp\Psr7\Response:private] => Unauthorized
[statusCode:GuzzleHttp\Psr7\Response:private] => 401
[headers:GuzzleHttp\Psr7\Response:private] => Array
(
[Content-Type] => Array
(
[0] => application/json; charset=utf-8
)
[request-id] => Array
(
[0] => <rid>
)
[client-request-id] => Array
(
[0] => <client-request-id>
)
[x-ms-ags-diagnostic] => Array
(
[0] => {"ServerInfo":{"DataCenter":"<some place name here>","Slice":"SliceC","Ring":"<some number>","ScaleUnit":"<something>","RoleInstance":"something","ADSiteName":"something"}}
)
[WWW-Authenticate] => Array
(
[0] => Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="<some id here>"
)
[Strict-Transport-Security] => Array
(
[0] => max-age=31536000
)
[Date] => Array
(
[0] => Thu, 13 Jun 2019 07:44:01 GMT
)
[Content-Length] => Array
(
[0] => <some length>
)
)
[headerNames:GuzzleHttp\Psr7\Response:private] => Array
(
[content-type] => Content-Type
[request-id] => request-id
[client-request-id] => client-request-id
[x-ms-ags-diagnostic] => x-ms-ags-diagnostic
[www-authenticate] => WWW-Authenticate
[strict-transport-security] => Strict-Transport-Security
[date] => Date
[content-length] => Content-Length
)
[protocol:GuzzleHttp\Psr7\Response:private] => 1.1
[stream:GuzzleHttp\Psr7\Response:private] => GuzzleHttp\Psr7\Stream Object
(
[stream:GuzzleHttp\Psr7\Stream:private] => Resource id #<some_id>
[size:GuzzleHttp\Psr7\Stream:private] => <some number>
[seekable:GuzzleHttp\Psr7\Stream:private] => 1
[readable:GuzzleHttp\Psr7\Stream:private] => 1
[writable:GuzzleHttp\Psr7\Stream:private] => 1
[uri:GuzzleHttp\Psr7\Stream:private] => php://temp
[customMetadata:GuzzleHttp\Psr7\Stream:private] => Array
(
)
)
)
根据我的观察服务器返回的WWW-Authenticate url错误,它 应该 https://login.microsoftonline.com/tenant_id/oauth2/authorize。
有什么方法可以从azure后端配置WWW身份验证URL ??
答案 0 :(得分:1)
提供者的配置不正确。要允许Microsoft帐户登录,您应该使用Microsoft identity platform v2.0 endpoint。在Azure门户上注册应用程序时,请记住将支持的帐户类型设置为任何组织目录中的帐户和个人Microsoft帐户。
这里是sample供您参考。
$oauthClient = new \League\OAuth2\Client\Provider\GenericProvider([
'clientId' => env('OAUTH_APP_ID'),
'clientSecret' => env('OAUTH_APP_PASSWORD'),
'redirectUri' => env('OAUTH_REDIRECT_URI'),
'urlAuthorize' => env('OAUTH_AUTHORITY').env('OAUTH_AUTHORIZE_ENDPOINT'),
'urlAccessToken' => env('OAUTH_AUTHORITY').env('OAUTH_TOKEN_ENDPOINT'),
'urlResourceOwnerDetails' => '',
'scopes' => env('OAUTH_SCOPES')
]);
OAUTH_APP_ID=YOUR_APP_ID_HERE
OAUTH_APP_PASSWORD=YOUR_APP_PASSWORD_HERE
OAUTH_REDIRECT_URI=http://localhost:8000/authorize
OAUTH_SCOPES='openid profile offline_access User.Read Mail.Read'
OAUTH_AUTHORITY=https://login.microsoftonline.com/common
OAUTH_AUTHORIZE_ENDPOINT=/oauth2/v2.0/authorize
OAUTH_TOKEN_ENDPOINT=/oauth2/v2.0/token