问题描述
在此处遵循指南:。
我正在尝试向访问令牌,
I'm trying to make a post request to access a token,
HTTP POST:
url:
HTTP POST:url: https://login.microsoftonline.com/[az-directory].onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_SiUpIn
帖子正文:
grant_type:授权代码
grant_type: authorization_code
作用域: openid offline_access
scope: https://[url-to-azure-app-api-endpoint] openid offline_access
代码:[从登录网址中检索到的代码]
code: [code retrieved from login url]
redirect_u ri:
redirect_uri: http://[redirect-uri-used-in-login]
client_secret:[天蓝色函数中的秘密客户端ID]
client_secret: [secret client id in azure functions]
我的回答是:
{
id_token:...
token_type:...
not_before:...
id_token_expires_in:...
profile_info:...
refresh_token:....
refresh_token_expires_in:...
}
尽管链接说这就是我想要的,但请求正文都不是access_token。
None of the request body is an access_token despite the link saying that's what I would get.
我不确定如何从此处继续,是否可能会丢失我的Azure AD B2C应用程序与功能性应用程序之间的某种许可?
I'm not sure how to proceed from here, is it possible I'm missing some sort of permission between my Azure AD B2C app and the Functions App it's meant to secure?
编辑::经进一步调查,我发现以下内容:
edit: upon further investigation I found the following:
您使用的登录网址会影响生成的结果您可以做的代码令牌(有意义),我正在尝试类似的方法:
The login url you use affects what the resulting code token you get can do (makes sense), I'm trying something like:
如果我发出发布请求,则显示结果代码
With the resulting code if I make a post request to the token endoint as described above I get a refresh token and an ID token.
但是,我还发现我不需要发送所有的post参数。链接,我只通过传递grant_type,代码和client_secret就可以了。由于登录调用似乎实际上控制了使用授权代码可以访问的内容的范围,因此它返回了这种说法,但我不确定为什么上面的链接说明您需要传递client_id,scope和redirect_uri。
However I also found that I don't need to send all the post parameters per the link, I get away with just passing grant_type, code and client_secret. Since the login call seems to actually control the scope of what you can access with the authorization code it returns this sort of makes sense but I'm not sure why the link above says you need to pass client_id, scope and redirect_uri.
我可以使用此发帖请求中的id令牌作为授权承载令牌传递到我的azure函数应用中,也可以使用refresh令牌调用refresh令牌端点进行刷新我可以从结果中获取并继续在我的azure函数应用程序中使用的id令牌。
I can use the id token from this post request as an authorization bearer token to pass into my azure functions app and I can use the refresh token to call into the refresh token endpoint to refresh the id token which I can grab from the result and continue to use in my azure functions app.
所以我的问题变成了:这可以接受吗?为什么我的发现与上面的链接应该说的有很大不同?
So my question becomes: Is this acceptable? Why are my findings so much different to what the link above says should be possible? Do I need an access token at all anymore?
推荐答案
关于问题的第一部分:
如果不使用策略,我个人可以连接到Azure AD,甚至可以连接到Azure B2C。但是,如果我使用策略,则不会获得access_token。
Personally I can connect to Azure AD and I can even connect to Azure B2C if I do not use a policy. But if I use a policy then I do not get the access_token.
根据,我们可以使用以便连接到天蓝色。
According to the azure b2c documentation, we can use the openid connect protocol in order to connect to azure.
,然后在是规范的一部分:
And in the successfull token response part of specification it's said :
所以我认为您不是遗漏了一些东西,但从我的角度来看,因为Azure B2C响应中没有acccess_token,我们可以说Azure B2C不符合openid连接。
,我认为应该可以使用工作环境在 openid作用域中添加特定作用域,以便像azure文档所建议的那样具有access_token:
Now, I think that it should be possible to use a work arround in adding a specific scope to the "openid" scope in order to have an access_token like it's suggested by the azure documentation :
:
:
这篇关于调用/ token端点不会给我access_token的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!