我已经为具有Azure Active Directory的SAP系统设置了SSO,它运行正常。现在,我正在尝试使用MS-Adal通过Android应用程序获取OAuth令牌。
我认为我已经完成了正确的设置,但是我对使用断言的JWT令牌交换有些困惑。
这就是我所说的AAD身份验证方式:
.acquireTokenAsync('resourceId', 'appId', 'http://localhost:8100/login', '', '')
如果我使用https://graph.windows.net作为resourceId,则可以从我的应用程序中获得JWT令牌。之后,我使用Postman通过OBO Flow将请求发送到SAP系统。
执行请求时,出现以下错误:
"error_description": "AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was 'https://graph.windows.net' and the expected audience is 'HTTPS://XXX-sso.sapbydesign.com' or one of the Application Uris of this application with App ID '....'(SAP Business ByDesign (XXX)). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.\r\nTrace...
似乎我必须将受众群体更改为“ HTTPS://XXX-sso.sapbydesign.com”。但是当我将其作为resourceId输入时,在应用程序中出现以下错误:
Authentication failed Error: User cancelled the flow RequestId:156473759
我还已经在AAD中设置了API访问权限,并尝试使用到sap租户的api链接作为resourceId,这会导致相同的错误。
关于我在做什么错的任何建议?