问题描述
我正在努力从https://login.microsoftonline.com/common/oauth2/token"获取令牌;通过后请求使用 Azure 函数.该令牌将授予通过 CSOM 访问 SharePoint 的权限.这是我的帖子请求代码片段:
I am struggling to get a token from "https://login.microsoftonline.com/common/oauth2/token" with an Azure function by a post-request. The token will give permissions to access SharePoint though CSOM. Here is my code snippet with the post request:
var clientId = defaultAADAppId;
var body = $"resource={resource}&client_id={clientId}&grant_type=password&username={HttpUtility.UrlEncode(username)}&password={HttpUtility.UrlEncode(password)}";
using (var stringContent = new StringContent(body, Encoding.UTF8, "application/x-www-form-urlencoded"))
{
var result = await httpClient.PostAsync(tokenEndpoint, stringContent);
var tokenResult = JsonSerializer.Deserialize<JsonElement>(result);
var token = tokenResult.GetProperty("access_token").GetString();
}
在本地测试时,无论是在 Visual Studio 中运行该功能还是尝试使用 Postman 时,我都能获得访问令牌.但是,一旦我将该函数发布到 Azure 中的 Function 应用程序,我就会收到以下错误消息:
When testing locally, both when running the function in Visual studio and when I try with Postman, I am able to achieve an access token. However, as soon as I publish the function to my Function app in Azure I receive the following error message:
"AADSTS53003:访问已被条件访问策略阻止.访问策略不允许令牌发行"
"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance"
我已在门户中启用应用注册,并且如前所述,一切正常,直到我将所有内容发布到 Azure.
I have enabled an app registration in the portal and as mentioned, it all works fine until I publish everything to Azure.
关于如何解决这个问题的任何想法?
Any ideas on how to solve this?
推荐答案
我现在开始工作了.首先,我按照@CaseyCrookston 的建议审查了 CA 政策.我发现我们的 CA 政策阻止了我们运营所在国家/地区以外的电话.但是,来自应用注册/Azure 函数的调用是从 Azure 数据中心位置注册的,因此被我们的 CA 策略阻止.在本地运行它们时,调用在我的国家/地区注册,因此在调试时没有显示错误.
I got it to work now. First of all I reviewed the CA policies as @CaseyCrookston suggested. What I found out was that our CA policies blocked calls outside the country we operate from. However, the calls from the App registration/Azure function were registered from the Azure data centre location and thus, blocked by our CA policies. When running them locally the calls where registered in my country and therefore no errors were showing while debugging.
我的第一步是尝试将我的客户端应用程序添加到 CA 策略中,但这是不可能的.我根据此 Microsoft 的 CSOM 指南 阻止将应用注册从 CA 策略中列入白名单 (Github 问题).
My first step was trying to add my Client app to the CA policy, which was not possible. The client/secret authentication that I used based on the suggestions in this CSOM guide by Microsoft prevented the App registration to be whitelisted from the CA policies (Github issue).
基于此,我必须按照此处的建议将身份验证更改为基于证书的身份验证:带有证书的访问令牌请求 和这里:SO 答案.有了这个,我能够在 CA 策略中将应用注册列入白名单,并成功通过 Sharepoint CSOM 进行身份验证.
Based on this I had to change the authentication to a Certificate-based authentication as suggested here: Access token request with a certificate and here: SO answer. With this I was able to whitelist the App registration in the CA policies and successfully authenticate to the Sharepoint CSOM.
这篇关于从已发布的 Azure 函数发布请求时阻止了令牌访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!