Azure的AD的OAuth2访问令牌请求错误

Azure的AD的OAuth2访问令牌请求错误

本文介绍了Azure的AD的OAuth2访问令牌请求错误 - 400错误的请求的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的WPF的桌面应用程序(C#)正试图通过微软图形API来读取用户的Outlook电子邮件。我被困在认证过程;我已经收到认证码,现在我想发送的的访问令牌的请求时,获得来自Azure的访问令牌但要得到一个HTTP 400错误代码的:

  / ****授权码检索**** / 
串authCodeUrl =htt​​ps://login.microsoftonline.com /普通/的oauth2 /授权;
authCodeUrl + =?CLIENT_ID=的clientId;
authCodeUrl + =&放大器; REDIRECT_URI =+ redirectUri;
authCodeUrl + =&放大器; RESPONSE_TYPE =码;
authCodeUrl + =与&资源= HTTPS%3A%2F%2Fgraph.microsoft.com%2F;
的Process.Start(authUrl); //用户登录时,我们得到登录后
串代码的授权码=......; //隐藏此帖

/ ****访问令牌检索**** /
串tokenUrl =htt​​ps://login.microsoftonline.com/common/oauth2/token
字符串内容=grant_type = authorization_code;
+内容=&放大器; CLIENT_ID =+的clientId;
含量+ =与&资源= HTTPS%3A%2F%2Fgraph.microsoft.com%2F;
+内容=&放大器;代码=+代码;
+内容=&放大器; REDIRECT_URI =+ redirectUri;
的WebRequest请求= WebRequest.Create(tokenUrl);
request.ContentType =应用/的X WWW的形式,进行了urlencoded
字节[]数据= Encoding.UTF8.GetBytes(内容);
request.ContentLength = data.Length;
request.Method =POST;

{
使用(流流= request.GetRequestStream())
{
stream.Write(数据,0,data.Length);
}
WebResponse的响应= request.GetResponse(); //这个抛出异常
}
赶上(例外错误)//这个捕捉异常
{
Console.WriteLine(返回Error.message); //输出400错误的请求
}



以上是用于检索代码随后尝试检索访问令牌授权码。我们没有一个client_secret因为秘密是只针对Web应用程序,这是一个本地桌面WPF应用程序。我已阅读,这不是一个问题,但。我按照很多教程和官方在线文档,主要调试的要求,我发现完整的错误消息:用户或管理员尚未同意使用该应用程序的。我GOOGLE了这条消息了一下,发现了一些堆栈的文章和GitHub的问题线程导致我的解决办法:当实际我需要用我的Azure租户我的要求一直在使用常用,在基础URL,如租户ID我通过这个 ID。我对身份验证请求新基地的URL现在看起来像:

  https://login.microsoftonline.com/xxxxxxxx-xxxx- XXXX-XXXX-XXXXXXXXXXXX /的oauth2 /授权

其中xxxx -.... XXX将是您的Azure租户ID更换!


My WPF desktop application (C#) is attempting to read the user's Outlook emails through the Microsoft Graph API. I am stuck in the authentication process; I've already received an authentication code and now I'm trying to get an access token from Azure but keep getting a HTTP 400 error code when sending out the request for the access token:

/**** Auth Code Retrieval ****/
string authCodeUrl = "https://login.microsoftonline.com/common/oauth2/authorize";
authCodeUrl += "?client_id" = clientId;
authCodeUrl += "&redirect_uri=" + redirectUri;
authCodeUrl += "&response_type=code";
authCodeUrl += "&resource=https%3A%2F%2Fgraph.microsoft.com%2F";
Process.start(authUrl); // User logs in, we get the auth code after login
string code = "......"; // Hidden for this post

/**** Access Token Retrieval ****/
string tokenUrl = "https://login.microsoftonline.com/common/oauth2/token"
string content = "grant_type=authorization_code";
content += "&client_id=" + clientId;
content += "&resource=https%3A%2F%2Fgraph.microsoft.com%2F";
content += "&code=" + code;
content += "&redirect_uri=" + redirectUri;
WebRequest request = WebRequest.Create(tokenUrl);
request.ContentType = "application/x-www-form-urlencoded";
byte[] data = Encoding.UTF8.GetBytes(content);
request.ContentLength = data.Length;
request.Method = "POST";
try
{
  using (Stream stream = request.GetRequestStream())
  {
    stream.Write(data, 0, data.Length);
  }
  WebResponse response = request.GetResponse(); // This throws exception
}
catch (Exception error) // This catches the exception
{
  Console.WriteLine(error.Message); // Outputs 400, bad request
}

The above is the code used to retrieve the auth code followed by the attempt to retrieve the access token. We do not have a client_secret because secrets are only for Web applications and this is a native desktop WPF application. I have read that this isn't an issue though. I have followed many tutorials and official docs online, mainly the official Graph authorization doc and I still cannot figure out what I am doing wrong. Any help would be greatly appreciated, thank you.

解决方案

I used fiddler to debug the request and I found the full error message: The user or administrator has not consented to use the application. I googled this message for a bit and found some stack articles and github issue threads that lead me to the solution: my request had been using "common", in the base URL, as the tenant ID when actually I needed to use my Azure tenant ID which I acquired through this answer on stack. My new base URL for the authentication requests now looks like:

https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize

where "xxxx-....xxx" would be replaced by your Azure tenant id!

这篇关于Azure的AD的OAuth2访问令牌请求错误 - 400错误的请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-30 13:08