我已在 Azure AD 中创建了一个 Multi-Tenancy 应用程序 当我尝试获取访问 token 并 checkin jwt.io 时,我发现 scp (范围)丢失。
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.ReadWrite%20User.ReadBasic.All%20Sites.ReadWrite.All%20Contacts.ReadWrite%20People.Read%20Notes.ReadWrite.All%20Tasks.ReadWrite%20Mail.ReadWrite%20Files.ReadWrite.All%20Calendars.ReadWrite";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&scope=https://graph.windows.net/directory.read%20https://graph.windows.net/directory.write";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token";
//string authority = "https://login.microsoftonline.com/{0}";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.Read%20User.ReadWrite%20User.ReadBasic.All";
//string authority = "https://login.microsoftonline.com/{0}/oauth2/token?scope=User.ReadBasic.All";
//string authority = "https://login.microsoftonline.com/{0}/oauth2/token?scope=User.ReadBasic.All";
string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/token?response_type=token&scope=User.ReadBasic.All";
我尝试了多种权威 URL 组合
string graphResourceId = "https://graph.microsoft.com";
string clientId = "XXXX";
string secret = "XXXX";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret)).Result;
如何获取 microsoft.graph 资源的范围?
最佳答案
如果是委托(delegate)权限,则在运行时作为客户端访问 token 中的“scp”声明提供给资源。
但是您正在使用应用程序权限,该权限使用客户端应用程序的凭据/身份指定基于角色的访问,在运行时以“角色”的形式呈现给资源"客户端访问 token 中的声明。
"Delegated" permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as "scp" claims in the client's access token.
Application permissions, which specify role-based access using the client application's credentials/identity, are presented to the resource at run-time as "roles" claims in the client's access token.
How to get scope of microsoft.graph resource?
我们可以从这个link得到答案.
Permission requests are configured on the "Applications" / "Settings" tab in the Azure portal, under "Required Permissions", by selecting the desired "Delegated Permissions" and "Application Permissions" (the latter requires membership in the Global Admin role). Because a public client can't securely maintain credentials, it can only request delegated permissions, while a confidential client has the ability to request both delegated and application permissions. The client's application object stores the declared permissions in its requiredResourceAccess property.
关于c# - 未找到范围 (scp) 中的 Azure AD 访问 token ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52697767/