英文:
Azure access token generation from Postman for delegated scopes
问题
I wanted to generate Azure token from Postman for API authorization in my project. I am able to generate token using below API request but getting the below error message while using the generated token in another API request.
> "Authorization denied for this request"
I have referred the below URL:
https://stackoverflow.com/questions/56954067/azure-access-token-generation-from-postman
The problem is with the generated token. I tried to verify token on the JWT.io site. As per find we are not getting any scope added in the generated token.
I'm currently Scopes with delegated permission. Please suggest what should I do?
Endpoint#
https://login.microsoftonline.com/:tenant_id/oauth2/token
Params#
tenant_id: 根据 Azure 生成的 id。
Header#
Content-Type: application/x-www-form-urlencoded
Body# (Form-data)
grant_type: client_credentials
client_id: 根据 Azure 生成的 id。
client_secret: 根据 Azure 生成的 id。
resource: 必需的 URL
Response#
"token_type": "Bearer",
"expires_in": "foo",
"ext_expires_in": "foo",
"expires_on": "foo",
"not_before": "foo",
"resource": "foo",
"access_token": foo
英文:
I wanted to generate Azure token from Postman for API authorization in my project. I am able to generate token using below API request but getting the below error message while using the generated token in another API request.
> "Authorization denied for this request"
I have referred the below URL:
https://stackoverflow.com/questions/56954067/azure-access-token-generation-from-postman
The problem is with the generated token. I tried to verify token on the JWT.io site. As per find we are not getting any scope added in the generated token.
I'm currently Scopes with delegated permission. Please suggest what should I do?
Endpoint#
https://login.microsoftonline.com/:tenant_id/oauth2/token
Params#
tenant_id:As per id generation by azure.
Header#
Content-Type: application/x-www-form-urlencoded
Body# (Form-data)
grant_type:client_credentials
client_id:As per id generation by azure.
client_secret:As per id generation by azure.
resource:Required URL
Response#
"token_type": "Bearer",
"expires_in": "foo",
"ext_expires_in": "foo",
"expires_on": "foo",
"not_before": "foo",
"resource": "foo",
"access_token":foo
答案1
得分: 2
> 注意:对于委派范围,您必须使用任何用户交互式流程(授权码流/隐式流程)生成令牌,而对于应用程序范围,请使用客户端凭据流程。
我在我的环境中尝试重现相同的情况,并收到了下面的错误:
通常情况下,如果访问令牌没有足够的权限来执行操作,就会出现此错误。
要解决此错误,请尝试以下操作:
确保根据您的需求添加API权限:
现在,通过以下端点生成授权码:
https://login.microsoftonline.com/6c3f1c39-b84c-4188-b49f-ca5e806be058/oauth2/v2.0/authorize?
&client_id=b08f06ad-bb74-487b-976a-f8a512d693e0
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
我使用以下参数生成了访问令牌:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
当我解码令牌时,范围显示如下:
对于示例,使用上述生成的访问令牌,我调用了Graph API,如下所示:
https://graph.microsoft.com/v1.0/users
因此,如果您正在公开API并添加范围,它将是委派的。您必须使用用户交互流程。
如果您想代表用户生成访问令牌,然后创建应用程序角色并通过客户端凭据流程生成令牌。
英文:
> Note that: For delegated scopes, you have to generate token using any user Interactive Flow (Authorization code flow/Implicit Flow) and for application scopes make use of client credential flow.
I tried to reproduce the same in my environment and got the same error as below:
To error usually occurs if the access token doesn't have sufficient permissions to perform the action.
To resolve the error, try the below:
Make sure to add the API permissions based on your requirement:
Now, Generate the auth-code by using below endpoint:
https://login.microsoftonline.com/6c3f1c39-b84c-4188-b49f-ca5e806be058/oauth2/v2.0/authorize?
&client_id=b08f06ad-bb74-487b-976a-f8a512d693e0
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
I generated access token by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
When I decoded the token, the scope is displayed like below:
For sample, by using the above generated access token I called the Graph API like below:
https://graph.microsoft.com/v1.0/users
Hence, if you are exposing an API and adding the scope it will be delegated. You must make use of User Interaction Flows.
If you want to generate access token on behalf of user then create App Roles and generate token via Client Credential flow.
答案2
得分: 1
首先,你使用了grant_type:client_credentials,所以你正在使用客户端凭据流。这个流程意味着访问令牌将代表应用程序本身生成,因此不需要用户登录,并且API权限应该是Application类型的。而且,Kiron的回答已经过时,因为他展示的是V1.0流程,所以你有resource:Required URL,但我们现在使用的是V2.0流程,客户端凭据流的请求参数应该是scope: xxxx/.default。
首先,你应该按照这个部分的步骤来暴露一个API。我们需要创建一个角色而不是添加一个作用域。然后,你可以添加API权限,进入Azure AD应用程序 -> API权限 -> 添加API权限 -> 选择我的API -> 你暴露的API应用程序 -> 选择应用程序权限 -> 你将看到你创建的角色并添加此API权限 -> 如果需要,授予管理员同意。然后你可以看到像这样的情况,这意味着API已经添加并且已经同意。
如果你点击这个API权限,你将看到作用域URL,例如api://client_id/role_name。
现在,让我们去Postman发送这样的请求,作用域必须以/.default结尾。暴露API的应用程序和用于获取身份验证的API可以不同,因此当你不使用相同的应用程序时,client_id和client_id_exposing_API的值可以不同。
Post: https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=xxxx
&scope=api://client_id_exposing_API/.default
&client_secret=sampleCredentia1s
&grant_type=client_credentials
我们可以解码生成的访问令牌,以检查它是否包含了包含你创建的角色的roles声明。
当使用这个令牌但仍然无法调用你的API时,那就应该是另一种情况了,你可能需要分享一下你如何配置你的API应用程序。
英文:
First of all, you had grant_type:client_credentials so you are using client credential flow. This flow means the access token would be generated on behalf of the application itself so it doesn't require a user to sign in, and the api permission should be Application type. And Kiron's answer is out of date because what he showed you used V1.0 flow so you have resource:Required URL, but we are now using V2.0 flow which request parameter should be scope: xxxx/.default for client credential flow.
So first you should follow this section to expose an API. We need to create a role instead of add a scope. Then you can go to add API permission, going to the Azure AD app -> API permission blade -> add api permission -> choose My APIs -> the application you exposed API -> choose Application permissions -> you will see the role you created and add this API permission -> grant admin consent if you required. Then you can see like this which means the API already added and consented.
And if you click this api permission, you will see the scope url like api://client_id/role_name
Now, let's go to postman to send request like this, the scope must be ended with /.default. The app exposing API and the API you used to get authentication can be different, so the value of client_id and client_id_exposing_API can be different when you don't use the same APP.
Post: https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=xxxx
&scope=api://client_id_exposing_API/.default
&client_secret=sampleCredentia1s
&grant_type=client_credentials
We can decode the generated access token to check if it contained roles claim which containing the role you created.
When using this token but still failed to call your API, then it should be another story and you may need to share how you configure your API application.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论