OAuth 与 O365 的集成失败并出现错误 AADSTS65005
我们有一个网站(基于 php 框架构建),我们为教师/学生提供在线教育工具.我们已经与 google.com 进行了 OAuth 集成,用户可以使用他们的 google 帐户(可以是个人 gmail 帐户或 google 应用程序域的成员)注册"和登录"到我们的网站.
We have a web site (built on a php framework) where we provide online educational tools for teachers/students. We have done an OAuth integration with google.com where users can 'sign up' and 'sign in' to our site using their google accounts (could be a personal gmail account, or a member of a google apps domain).
我们正在尝试与 O365 进行类似的集成,我们的网站可以向 O365 询问用户的电子邮件和名字/姓氏,以便我们可以在我们的网站上为他们创建一个帐户,并在创建帐户后让他们登录.我们在 Azure -> Active Directory 中创建了一个应用程序列表,并生成了客户端 ID 和密码,并将它们插入到 PHP 代码中.OAuth 工作流程此处描述一直有效,直到我尝试并使用对 https://login.windows.net/common/oauth2 的 POST 请求请求访问令牌/令牌.它重定向回我的 redirect_uri
但不是给我验证码,而是在 URL 中给我这些参数:
We are trying to do a similar integration with O365 where our website can ask O365 for user's email and first/last names so we can create an account for them on our site, and once the account is created, log them in. We have created an Application listing in Azure -> Active Directory, and have generated the client ID and secret, and plugged them into out PHP code. The OAuth workflow described here works up until the point where I try and request the access token using a POST request to https://login.windows.net/common/oauth2/token. It redirects back to my redirect_uri
but instead of giving me the auth code, it gives me these params in the URL:
[error] => access_denied
[error_description] => AADSTS65005: The client application has requested access to resource 'https://outlook.office365.com/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: xxxxxx
Correlation ID: xxxxxx
Timestamp: 2014-09-29 06:28:25Z
[state] => xxxxxx
我所需要的只是让 O365 给我用户的电子邮件和 f/l 姓名.肯定有我缺少的快速解决方案吗?
All I need is for O365 to give me the user's email and f/l names. Surely there's a quick fix for this that I am missing?
推荐答案
默认情况下,注册的应用程序配置为请求读取用户的个人资料",一旦用户同意,允许应用程序获取用户令牌(ID 令牌,如果使用 OpenID Connect)并在调用 Azure AD 图形 API.受 Azure AD 保护的应用当前必须预先配置它们所需的权限范围(作为应用注册体验的一部分,在对其他应用程序的权限"部分下).在这里,您似乎已将 Outlook.com 指定为您需要代码和访问令牌的资源,但您的应用未配置为允许访问 O365 Outlook.com/Exchange Online.
By default, a registered app is configured to request "Read the user's profile", which once consented to by the user, allows the app to get a user token (id token if using OpenID Connect) and read the signed in user's profile (including their mail address or addresses) when calling the Azure AD Graph API. Apps secured by Azure AD must currently configure the permission scopes they require up front (as part of the app registration experience, under the "Permissions to other applications" section). Here it looks like you've specified Outlook.com as the resource that you'd like a code and access token for, but your app is not configured to allow access to O365 Outlook.com/Exchange Online.
请尝试在 Azure AD 的请求中设置资源 - https://graph.windows.net/.那应该为你工作.然后,您可以将代码交换为访问令牌以调用 Azure AD Graph API.
Please try setting the resource in your request to Azure AD - https://graph.windows.net/. That should work for you. You can then swap the code for an access token to call the Azure AD Graph API.
希望对你有帮助
相关文章