我在为我的网站实现 Azure AD SSO 时遇到问题。
Azure AD 配置使用证书而不是 key 。一切看起来都正常,但是 https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token 返回一个仅包含应用程序信息的承载 token ,我正在尝试获取已登录用户的用户信息。
谁能给我提供一些如何获取用户信息的信息和提示吗?
获取不记名 token 的代码:
public function getAccessToken(){
$link = "https://login.microsoftonline.com/{$this->tenantId}/oauth2/v2.0/token";
$request_headers = array(
'Accept: application/x-www-form-urlencoded'
);
$post_data = array(
"client_id" => $this->clientId,
"grant_type" => "client_credentials",
"client_assertion_type" => "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion" => $this->jwToken,
"scope" => "https://graph.microsoft.com/.default",
"code" => $this->responseCode,
"redirect_uri" => $this->redirectUri,
);
$curlResponse = $this->sendCURLRequest($link, $request_headers, $post_data);
var_export($curlResponse);
}
最佳答案
正如@juunas建议的那样,您应该使用authorization code flow而不是client credentials flow .
现在您已经从 Request an authorization code 获得了代码 ,接下来您需要 Redeem a code for an access token .
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
&client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps. This secret needs to be URL-Encoded.
您使用的是Client credentials flow get token ,其中您不需要代码。
关于php - Azure AD 身份验证问题 - 不记名 token 仅返回应用程序信息,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67465541/