英文:
Why can scopes for AuthorizationCodeRequest and AuthorizationCodeUrlRequest be different even though the docs say otherwise?
问题
我只会翻译你提供的文本内容,不会回答问题或提供其他信息。以下是翻译好的部分:
我刚开始探索MS身份平台,并发现了这个用于Node Web应用的示例存储库。在其中,位于App > routes > auth.js下的/aquireToken路由设置了authCodeUrlRequestParams和authCodeRequestParams。这包括了请求中的范围,不在redirectToAuthCodeUrl()函数中。
我想知道这两个参数对象是如何工作的,然后找到了这个页面,其中提到:
> 确保AuthorizationCodeUrlRequest和AuthorizationCodeRequest中的redirectUri和scopes的值是相同的
自然地,我尝试了没有相同范围的情况,注意到它仍然有效。当我在/aquireToken路由的authCodeUrlRequestParams对象中添加另一个范围(例如Calendars.Read),但没有在authCodeRequestParams中添加时,应用程序仍然有效,并且我可以访问由此范围保护的数据。当切换范围时,请求会失败(这是有道理的,因为授权URL不包括缺少的范围)。
但为什么在授权URL中包括了范围但请求对象中没有时也能工作呢?
英文:
I'm just starting to explore the MS identity platform and came across this example repo for a node web app. In it under App > routes > auth.js the /aquireToken route sets the authCodeUrlRequestParams and authCodeRequestParams. This includes the scopes for the request dont in the redirectToAuthCodeUrl() function.
I wondered about how these two parameter object work and came across this page where it says
> Ensure that values for redirectUri and scopes in AuthorizationCodeUrlRequest and AuthorizationCodeRequest are the same
Naturally, I tried this without the same scopes and noticed that it still works. When adding another scope to the authCodeUrlRequestParams object of the /aquireToken route (e.g. Calendars.Read) but not authCodeRequestParams, the app still works and I get access to the data protected by this scope. When switching the scopes the request fails (which makes sense, as the auth URL doesn't include the missing scope).
But why does it work when the scopes are included in the auth URL but not the request object?
答案1
得分: 1
authCodeUrlRequestParams 用于生成授权码,我们可以使用授权码来生成访问令牌,使用 AAD 授权码流。
在之前的测试中,你可以看到 Files.ReadWrite.All 是一个不需要管理员同意的范围。
所以在没有管理员同意的情况下添加了此 API 权限,然后在生成访问令牌时没有添加此范围,而是在生成访问令牌时添加它,会导致错误。
但是,如果在生成授权码时添加了 Files.ReadWrite.All,由于此范围不需要管理员同意,我会在使用我的帐户登录后看到一个用户同意弹窗,让我同意此应用程序具有某些权限。我同意了权限并获得了授权码,然后我可以使用此代码获取包含 Files.ReadWrite.All 的访问令牌。
顺便说一下,在上面的截图中,你可以看到我只在请求中设置了 User.Read,但我获得的范围远远超过单个 User.Read,其他范围都来自授权码。我为生成授权码设置了范围 profile email openid offline_access。
所以我的观点是,我们必须包含不需要管理员同意但在 authCodeUrlRequestParams 中需要的范围,这样我们可以为此范围获得用户同意,并且即使我们没有在 authCodeRequestParams 中设置它,我们也可以使用代码生成包含此范围的访问令牌。
如果我们所需的范围已经获得了管理员同意,无论是否需要管理员同意,我们都不需要将其添加到 authCodeUrlRequestParams 中,只需要将其添加到 authCodeRequestParams 中,然后我们可以获得正确的访问令牌。在下面的截图中,Group.Read.All 已经获得了管理员同意。
这些都是基于我的测试。
英文:
Like we know, authCodeUrlRequestParams is used to generate an auth code and we can use auth code to generate access token using AAD auth code flow.
And I had a test before, like you can see Files.ReadWrite.All is a scope which doesn't require Admin consent.
So after added this API permission without admin consent, and I didn't add this scope when generate auth code, but added it when generate access token, it gave me an error.
But if I added Files.ReadWrite.All when generating auth code, since this scope doesn't have admin consent, I would see a user consent popup after I signed in with my account which let me consent this app to have some permissions. And I consent the permissions and got an auth code, then I used this code I can get an access token which containing Files.ReadWrite.All in scp claim.
By the way, in screenshot above, you can see I only set User.Read in the request, but the what scopes I get are far more than a single User.Read, other scopes are from the auth code. I set scope profile email openid offline_access for generateing auth code.
So my opinion is, we have to contain the scope which doesn't require admin consent and hasn't got admin consent but we required in authCodeUrlRequestParams, so that we can give user consent for this scope, and we can use the code to generate an access token containing this scope even we don't set it in authCodeRequestParams.
If the scope we required is already got consent by admin no matter it required admin consent or not, we don't need to add it in authCodeUrlRequestParams and only need to add it in authCodeRequestParams and we can get correct access token. Screenshot below, the Group.Read.All has got admin consent.
These are all based on my test.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论