英文:
How to implement authorization_code grant flow in golang to login to Azure AD
问题
我想在Golang中为一个应用程序实现授权授予流程。
然后,该应用程序将读取用户有权限访问的(委派的)Azure资源。
我已经查看了GitHub和其他地方的几十个示例,但它们要么不完整,要么没有按预期弹出登录提示。
我正在寻找一个使用纯粹的REST(最好)的示例。
如果没有,可以使用adal/msal、"golang.org/x/oauth2/microsoft"或任何其他方法。
还需要从请求中获取访问令牌,因为Azure的Go SDK并不覆盖所有资源,我想使用访问令牌进行REST调用。
非常感谢提供一个可行的代码示例。
注意:我可以成功使用其他方法(如客户端凭据)登录。问题只在于使授权代码流程正常工作。
谢谢。
英文:
I would like to implement authorization grant flow for an application in golang.
The app will then read (delegated) azure resources the user has access to.
Already combed through several dozens of samples in github and everywhere else, but they are either incomplete or doesn't bring up the login prompt as expected.
I am looking for a sample that uses purely REST (preferable).
If not, using adal/msal, "golang.org/x/oauth2/microsoft" or any other method.
Also need to get an access token from the request as the Go sdk for Azure doesnt cover all resources and I'd like to use the access token to make REST calls.
Any pointers to working code sample would be highly appreciated.
Note: I can successfully login with other methods like client credentials. Issue is only getting auth code flow to work.
Thank you.
答案1
得分: 1
感谢您的联系。正如您所指出的,Azure SDK for Go目前尚不支持授权码流程。您可以按照以下步骤使用授权码流程:
- 通过将用户重定向到
/authorize
端点并确保添加offline_access
范围来请求授权码。如果成功,授权端点将返回授权码。
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state={state}
&code_challenge={code_challenge}
&code_challenge_method=S256
- 使用client_secret或证书凭据将授权码兑换为访问令牌。如果成功,令牌响应将包括一个
access_token
和一个refresh_token
,用于在当前令牌过期后获取访问令牌。
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
&client_secret={client_secret} // 注意:仅适用于Web应用程序。此密钥需要进行URL编码。
- 使用访问令牌进行请求,例如获取已登录用户的消息:
GET /v1.0/me/messages
Host: https://graph.microsoft.com
Authorization: Bearer {access_token}
- 通过向
/token
端点提交另一个POST请求来刷新访问令牌,这次提供refresh_token
:
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&refresh_token={refresh_token}
&grant_type=refresh_token
&client_secret={sampleCredentials} // 注意:仅适用于Web应用程序。此密钥需要进行URL编码。
请参阅此处的其他文档,了解有关错误处理和刷新令牌的更多信息:授权码流程
如果有进一步的问题,请告诉我是否有所帮助。
英文:
Thank you for reaching out. As you have noted, the Azure SDK for Go does not yet support the authorization code flow. You should be able to use the authorization code flow by following these steps:
- Request an authorization code by directing the user to the
/authorize
endpoint making sure to add theoffline_access
scope. If successful, the authorize endpoint returns the authorization code.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state={state}
&code_challenge={code_challenge}
&code_challenge_method=S256
- Redeem the authorization code for an access token using either a client_secret or a certificate credential. If successful, the token response will include an
access_token
and arefresh_token
which is used to fetch access tokens after the current one expires.
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
&client_secret={client_secret} // NOTE: Only required for web apps. This secret needs to be URL-Encoded.
- Use the access token to make requests such as getting the signed-in user's messages:
GET /v1.0/me/messages
Host: https://graph.microsoft.com
Authorization: Bearer {access_token}
- Refresh the access token by submitting another POST request to the
/token
endpoint, this time providing therefresh_token
:
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&refresh_token={refresh_token}
&grant_type=refresh_token
&client_secret={sampleCredentials} // NOTE: Only required for web apps. This secret needs to be URL-Encoded
Please see additional documentation here to learn more about error handling and refreshing the token: authorization code flow
Let me know whether this helps and if you have further questions.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论