我有一个Web API,需要代表用户对Microsoft Graph API进行调用。我正在使用here中所述的OBO流。
要获取访问令牌,我要发布到
POST - https://login.microsoftonline.com/<my-tenant-id>/oauth2/v2.0/token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id=<my-client-id>
&client_secret=<my-client-secret>
&assertion=<user's access token>
&scope=https://graph.microsoft.com/files.readwrite.all
&requested_token_use=on_behalf_of
呼叫失败,并显示以下消息:
{
"error": "invalid_grant",
"error_description": "AADSTS50013: Assertion failed signature validation. [Reason - The key was not found.]\r\nTrace ID: fb813f8e-ce15-4d09-bbae-9db5e5195a00\r\nCorrelation ID: ecb4e087-5506-4224-8f11-72fbf574beac\r\nTimestamp: 2020-10-22 02:18:57Z",
"error_codes": [
50013
],
"timestamp": "2020-10-22 02:18:57Z",
"trace_id": "fb813f8e-ce15-4d09-bbae-9db5e5195a00",
"correlation_id": "ecb4e087-5506-4224-8f11-72fbf574beac",
"error_uri": "https://login.microsoftonline.com/error?code=50013"
}
有什么想法我可能做错了吗?
为回应@Chauncy Zhou,
我有一个Angular应用,具有:
“ @ azure / msal-angular”:“ ^ 1.0.0”, “ msal”:“ 1.3.3”
在app.module中,MSAL的配置如下:
MsalModule.forRoot(
{
auth: {
clientId: environment.msClientId, // app1-client-id
authority: environment.msAuthorithy, // https://login.microsoftonline.com/<tenant-id>
redirectUri: environment.msRedirectUri // https://localhost:4200/callback
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: false
},
},
{
consentScopes: ['user.read', 'openid'],
protectedResourceMap: [
['https://app-2', ['api://app-2-id/scope-name']],
]
}
)
在测试组件中:
import { Component, OnInit } from '@angular/core';
import { MsalService } from '@azure/msal-angular';
@Component({
selector: 'app-test',
templateUrl: './test.component.html',
styleUrls: ['./test.component.scss']
})
export class TestComponent implements OnInit {
constructor(private msal: MsalService) {}
ngOnInit(): void {
this.msal.acquireTokenSilent({ scopes: ['api://app-2/scope-name'] }).then(response => {
console.log(response);
});
}
}
从控制台获取访问令牌,然后在邮递员中为OBO进行POST。