从Postman生成Azure的委派范围访问令牌

huangapple go评论58阅读模式
英文:

Azure access token generation from Postman for delegated scopes

问题

I wanted to generate Azure token from Postman for API authorization in my project. I am able to generate token using below API request but getting the below error message while using the generated token in another API request.

> "Authorization denied for this request"

I have referred the below URL:
https://stackoverflow.com/questions/56954067/azure-access-token-generation-from-postman

The problem is with the generated token. I tried to verify token on the JWT.io site. As per find we are not getting any scope added in the generated token.

I'm currently Scopes with delegated permission. Please suggest what should I do?

Endpoint#

 https://login.microsoftonline.com/:tenant_id/oauth2/token

Params#

tenant_id: 根据 Azure 生成的 id。

Header#

Content-Type: application/x-www-form-urlencoded

Body# (Form-data)

grant_type: client_credentials
client_id: 根据 Azure 生成的 id。
client_secret: 根据 Azure 生成的 id。
resource: 必需的 URL

Response#

"token_type": "Bearer",
"expires_in": "foo",
"ext_expires_in": "foo",
"expires_on": "foo",
"not_before": "foo",
"resource": "foo",
"access_token": foo
英文:

I wanted to generate Azure token from Postman for API authorization in my project. I am able to generate token using below API request but getting the below error message while using the generated token in another API request.

> "Authorization denied for this request"

I have referred the below URL:
https://stackoverflow.com/questions/56954067/azure-access-token-generation-from-postman

The problem is with the generated token. I tried to verify token on the JWT.io site. As per find we are not getting any scope added in the generated token.

I'm currently Scopes with delegated permission. Please suggest what should I do?

Endpoint#

 https://login.microsoftonline.com/:tenant_id/oauth2/token

Params#

tenant_id:As per id generation by azure.

Header#

Content-Type: application/x-www-form-urlencoded

Body# (Form-data)

grant_type:client_credentials
client_id:As per id generation by azure.
client_secret:As per id generation by azure.
resource:Required URL

Response#

"token_type": "Bearer",
"expires_in": "foo",
"ext_expires_in": "foo",
"expires_on": "foo",
"not_before": "foo",
"resource": "foo",
"access_token":foo

答案1

得分: 2

> 注意:对于委派范围,您必须使用任何用户交互式流程(授权码流/隐式流程)生成令牌,而对于应用程序范围,请使用客户端凭据流程。

我在我的环境中尝试重现相同的情况,并收到了下面的错误:

从Postman生成Azure的委派范围访问令牌

通常情况下,如果访问令牌没有足够的权限来执行操作,就会出现此错误。

要解决此错误,请尝试以下操作:

确保根据您的需求添加API权限

从Postman生成Azure的委派范围访问令牌

现在,通过以下端点生成授权码

https://login.microsoftonline.com/6c3f1c39-b84c-4188-b49f-ca5e806be058/oauth2/v2.0/authorize?
&client_id=b08f06ad-bb74-487b-976a-f8a512d693e0
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

从Postman生成Azure的委派范围访问令牌

从Postman生成Azure的委派范围访问令牌

我使用以下参数生成了访问令牌

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

从Postman生成Azure的委派范围访问令牌

当我解码令牌时,范围显示如下:

从Postman生成Azure的委派范围访问令牌

对于示例,使用上述生成的访问令牌,我调用了Graph API,如下所示:

https://graph.microsoft.com/v1.0/users 

从Postman生成Azure的委派范围访问令牌

因此,如果您正在公开API并添加范围,它将是委派的。您必须使用用户交互流程。

从Postman生成Azure的委派范围访问令牌

如果您想代表用户生成访问令牌,然后创建应用程序角色并通过客户端凭据流程生成令牌。

英文:

> Note that: For delegated scopes, you have to generate token using any user Interactive Flow (Authorization code flow/Implicit Flow) and for application scopes make use of client credential flow.

I tried to reproduce the same in my environment and got the same error as below:

从Postman生成Azure的委派范围访问令牌

To error usually occurs if the access token doesn't have sufficient permissions to perform the action.

To resolve the error, try the below:

Make sure to add the API permissions based on your requirement:

从Postman生成Azure的委派范围访问令牌

Now, Generate the auth-code by using below endpoint:

https://login.microsoftonline.com/6c3f1c39-b84c-4188-b49f-ca5e806be058/oauth2/v2.0/authorize?
&client_id=b08f06ad-bb74-487b-976a-f8a512d693e0
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

从Postman生成Azure的委派范围访问令牌

从Postman生成Azure的委派范围访问令牌

I generated access token by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

从Postman生成Azure的委派范围访问令牌

When I decoded the token, the scope is displayed like below:

从Postman生成Azure的委派范围访问令牌

For sample, by using the above generated access token I called the Graph API like below:

https://graph.microsoft.com/v1.0/users 

从Postman生成Azure的委派范围访问令牌

Hence, if you are exposing an API and adding the scope it will be delegated. You must make use of User Interaction Flows.

从Postman生成Azure的委派范围访问令牌

If you want to generate access token on behalf of user then create App Roles and generate token via Client Credential flow.

答案2

得分: 1

首先,你使用了grant_type:client_credentials,所以你正在使用客户端凭据流。这个流程意味着访问令牌将代表应用程序本身生成,因此不需要用户登录,并且API权限应该是Application类型的。而且,Kiron的回答已经过时,因为他展示的是V1.0流程,所以你有resource:Required URL,但我们现在使用的是V2.0流程,客户端凭据流的请求参数应该是scope: xxxx/.default

首先,你应该按照这个部分的步骤来暴露一个API。我们需要创建一个角色而不是添加一个作用域。然后,你可以添加API权限,进入Azure AD应用程序 -> API权限 -> 添加API权限 -> 选择我的API -> 你暴露的API应用程序 -> 选择应用程序权限 -> 你将看到你创建的角色并添加此API权限 -> 如果需要,授予管理员同意。然后你可以看到像这样的情况,这意味着API已经添加并且已经同意。

从Postman生成Azure的委派范围访问令牌

如果你点击这个API权限,你将看到作用域URL,例如api://client_id/role_name

从Postman生成Azure的委派范围访问令牌

现在,让我们去Postman发送这样的请求,作用域必须以/.default结尾。暴露API的应用程序和用于获取身份验证的API可以不同,因此当你不使用相同的应用程序时,client_idclient_id_exposing_API的值可以不同。

Post: https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id=xxxx
&scope=api://client_id_exposing_API/.default
&client_secret=sampleCredentia1s
&grant_type=client_credentials

从Postman生成Azure的委派范围访问令牌

我们可以解码生成的访问令牌,以检查它是否包含了包含你创建的角色的roles声明。

从Postman生成Azure的委派范围访问令牌

当使用这个令牌但仍然无法调用你的API时,那就应该是另一种情况了,你可能需要分享一下你如何配置你的API应用程序。

英文:

First of all, you had grant_type:client_credentials so you are using client credential flow. This flow means the access token would be generated on behalf of the application itself so it doesn't require a user to sign in, and the api permission should be Application type. And Kiron's answer is out of date because what he showed you used V1.0 flow so you have resource:Required URL, but we are now using V2.0 flow which request parameter should be scope: xxxx/.default for client credential flow.

So first you should follow this section to expose an API. We need to create a role instead of add a scope. Then you can go to add API permission, going to the Azure AD app -> API permission blade -> add api permission -> choose My APIs -> the application you exposed API -> choose Application permissions -> you will see the role you created and add this API permission -> grant admin consent if you required. Then you can see like this which means the API already added and consented.

从Postman生成Azure的委派范围访问令牌

And if you click this api permission, you will see the scope url like api://client_id/role_name

从Postman生成Azure的委派范围访问令牌

Now, let's go to postman to send request like this, the scope must be ended with /.default. The app exposing API and the API you used to get authentication can be different, so the value of client_id and client_id_exposing_API can be different when you don't use the same APP.

Post: https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token 
Content-Type: application/x-www-form-urlencoded

client_id=xxxx
&scope=api://client_id_exposing_API/.default
&client_secret=sampleCredentia1s
&grant_type=client_credentials

从Postman生成Azure的委派范围访问令牌

We can decode the generated access token to check if it contained roles claim which containing the role you created.

从Postman生成Azure的委派范围访问令牌

When using this token but still failed to call your API, then it should be another story and you may need to share how you configure your API application.

huangapple
  • 本文由 发表于 2023年4月19日 22:01:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/76055443.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定