OAuth 与 O365 的集成失败,错误为 AADSTS65005

我们有一个网站(建立在 php 框架上),我们为教师/学生提供在线教育工具.我们已经与 google.com 进行了 OAuth 集成,用户可以使用他们的 google 帐户(可以是个人 gmail 帐户或谷歌应用程序域的成员)注册"和登录"到我们的网站.

We have a web site (built on a php framework) where we provide online educational tools for teachers/students. We have done an OAuth integration with google.com where users can 'sign up' and 'sign in' to our site using their google accounts (could be a personal gmail account, or a member of a google apps domain).

我们正在尝试与 O365 进行类似的集成,我们的网站可以向 O365 询问用户的电子邮件和名字/姓氏,以便我们可以在我们的网站上为他们创建一个帐户,创建帐户后,让他们登录.我们在 Azure -> Active Directory 中创建了一个应用程序列表,并生成了客户端 ID 和密码,并将它们插入到 PHP 代码中.OAuth 工作流程此处描述一直有效,直到我尝试并使用 POST 请求向 https://login.windows.net/common/oauth2 请求访问令牌/令牌.它重定向回我的 redirect_uri 但它没有给我授权码,而是在 URL 中给我这些参数:

We are trying to do a similar integration with O365 where our website can ask O365 for user's email and first/last names so we can create an account for them on our site, and once the account is created, log them in. We have created an Application listing in Azure -> Active Directory, and have generated the client ID and secret, and plugged them into out PHP code. The OAuth workflow described here works up until the point where I try and request the access token using a POST request to https://login.windows.net/common/oauth2/token. It redirects back to my redirect_uri but instead of giving me the auth code, it gives me these params in the URL:

[error] => access_denied
[error_description] => AADSTS65005: The client application has requested access to resource 'https://outlook.office365.com/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: xxxxxx
Correlation ID: xxxxxx
Timestamp: 2014-09-29 06:28:25Z
[state] => xxxxxx

我只需要 O365 给我用户的电子邮件和 f/l 名称.肯定有一个快速解决方案,我错过了吗?

All I need is for O365 to give me the user's email and f/l names. Surely there's a quick fix for this that I am missing?

推荐答案

默认情况下,已注册的应用程序配置为请求读取用户的个人资料",一旦用户同意,该应用程序就可以获取用户令牌(如果使用 OpenID Connect,则为 id 令牌)并在调用 Azure AD 图形 API.受 Azure AD 保护的应用程序当前必须预先配置它们所需的权限范围(作为应用程序注册体验的一部分,在其他应用程序的权限"部分下).在这里,您似乎已将 Outlook.com 指定为需要代码和访问令牌的资源,但您的应用未配置为允许访问 O365 Outlook.com/Exchange Online.

By default, a registered app is configured to request "Read the user's profile", which once consented to by the user, allows the app to get a user token (id token if using OpenID Connect) and read the signed in user's profile (including their mail address or addresses) when calling the Azure AD Graph API. Apps secured by Azure AD must currently configure the permission scopes they require up front (as part of the app registration experience, under the "Permissions to other applications" section). Here it looks like you've specified Outlook.com as the resource that you'd like a code and access token for, but your app is not configured to allow access to O365 Outlook.com/Exchange Online.

请尝试将请求中的资源设置为 Azure AD - https://graph.windows.net/.这应该适合你.然后,您可以交换访问令牌的代码以调用 Azure AD Graph API.

Please try setting the resource in your request to Azure AD - https://graph.windows.net/. That should work for you. You can then swap the code for an access token to call the Azure AD Graph API.

希望能帮到你

相关文章