使用Graph API创建的应用注册请求令牌时,出现Azure B2C invalid_grant错误

whhtz7ly  于 2023-08-07  发布在  其他
关注(0)|答案(1)|浏览(122)

我正在使用Azure B2C中的客户端凭据流设置应用程序。当我通过Azure Portal创建应用程序时,我可以为其分配一个密钥和API权限,然后调用令牌端点来检索访问令牌。但是,当我通过Graph API创建应用程序并分配相同的权限和密钥时,它返回以下错误:

{
    "error": "invalid_grant",
    "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: a73a0250-9ee7-4cde-9754-715460bc5fe6\r\nTimestamp: 2023-07-18 20:10:01Z\r\n"
}

字符串
除了GUID和名称不同之外,这两个应用程序具有相同的清单。我还通过API检查了服务主体,除了GUID和名称之外,它们看起来都是一样的。通过单击门户的API权限窗格中的“授予{租户}的管理员许可”按钮,已授予两个应用程序的权限的管理员许可。我发现早期的stackoverflow帖子指出,由Graph API创建的应用程序不符合B2C集成的条件,但根据这里的文档,情况似乎不再如此:https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations#applications
下面是我通过Graph API创建应用程序的步骤:

POST /v1.0/applications HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer {token from graph API application}
Content-Type: application/json
Content-Length: 29

{
    "displayName": "test2"
}


这将在Azure门户的“应用程序注册”窗格中的“所有应用程序”选项卡下创建应用程序注册。以下是创建的应用程序的清单:

{
    "id": "{id}",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "{appId}",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2023-07-18T19:35:48Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "test2",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2024-01-14T21:05:11.199Z",
            "keyId": "{keyId}",
            "startDate": "2023-07-18T20:05:11.199Z",
            "value": null,
            "createdOn": "2023-07-18T20:05:14.7198454Z",
            "hint": "rLR",
            "displayName": "clientSecret"
        }
    ],
    "preAuthorizedApplications": [],
    "publisherDomain": "{tenent}",
    "replyUrlsWithType": [],
    "requiredResourceAccess": [
        {
            "resourceAppId": "{API app ID}",
            "resourceAccess": [
                // records in here for api permissions that match those of the application I create through the portal
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}


我还通过下面的端点通过API创建了密钥,在其他测试中,在应用程序注册到上面的调用后,还通过门户添加了该密钥。两条路都没有区别。

POST /v1.0/applications/0a9334c7-6312-4912-86d4-31d8458cf9f6/addPassword HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer {token from Graph API}
Content-Type: application/json
Content-Length: 80

{
    "passwordCredential": {
        "displayName" : "clientSecret"
    }
}


当我进行调用以获取令牌时,在门户中创建的应用程序工作,并且由API创建的应用程序返回invalid_grant错误。以下是我如何打这个电话:

POST /{tenant}.onmicrosoft.com/{custom policy}/oauth2/v2.0/token?client_id={client_id}&grant_type=client_credentials&scope=https://{tenant}.onmicrosoft.com/{application id URI slug}/.default&client_secret={client_secret} HTTP/1.1
Host: devcloud9fx.b2clogin.com


当在postman中调用这个函数时,我唯一改变的是client_id和secret。

biswetbf

biswetbf1#

最初,我在B2C租户中注册了一个Web API的应用,并添加了Application ID URI:


的数据
现在,我在Manifest文件的appRoles设置中添加了下面的JSON,定义了Web API角色

"appRoles": [
{
  "allowedMemberTypes": ["Application"],
  "displayName": "Read",
  "id": "xxxxxxxx",
  "isEnabled": true,
  "description": "Readers have the ability to read tasks.",
  "value": "app.read"
},
{
  "allowedMemberTypes": ["Application"],
  "displayName": "Write",
  "id": "xxxxxxxxx",
  "isEnabled": true,
  "description": "Writers have the ability to create tasks.",
  "value": "app.write"
}],

字符串



我从Portal注册了一个名为test1的Azure AD B2C应用程序,并授予了对上述Web API角色的访问权限,如下所示:



当我使用通过Portal创建的应用程序进行调用时,我成功地获得了令牌:

POST https://srib2caadtenant.b2clogin.com/srib2caadtenant.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/oauth2/v2.0/token

client_id:appID
client_secret:secret
grant_type:client_credentials
scope: https://srib2caadtenant.onmicrosoft.com/api/.default



现在,我试图通过使用以下调用从Graph API创建应用程序来实现相同的目标:

POST https://graph.microsoft.com/v1.0/applications
Authorization: Bearer {token from graph API application}
Content-Type: application/json

{
    "displayName": "test2"
}



我运行了下面的调用,为上面的应用程序创建了client secret

POST https://graph.microsoft.com/v1.0/applications/appObjectID/addPassword 
Authorization: Bearer {token from Graph API}
Content-Type: application/json

{
    "passwordCredential": {
        "displayName" : "clientSecret"
    }
}



当我使用API创建的应用程序进行调用时,我得到了相同的错误,说invalid_grant如下:

POST https://srib2caadtenant.b2clogin.com/srib2caadtenant.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/oauth2/v2.0/token
client_id:appID
client_secret:secret
grant_type:client_credentials
scope: https://srib2caadtenant.onmicrosoft.com/api/.default



使用Graph API创建应用时,API权限默认不添加:



若要通过API调用在应用中添加Web API角色,可以调用如下PATCH请求:

PATCH https://graph.microsoft.com/v1.0/applications/appObjID/
Authorization: Bearer {token from Graph API}
Content-Type: application/json

{
    "requiredResourceAccess": [
        {
            "resourceAppId": "web API appID",
            "resourceAccess": [
                {
                    "id": "xxxxxxx",
                    "type": "Role"
                },
                {
                    "id": "xxxxxxx",
                    "type": "Role"
                }
            ]
        }
    ]
}



请确保对上述API权限授予管理员同意:



需要注意的是,API权限授予管理员同意后,最多需要5分钟才能反映出更改。
当我在几分钟后再次使用通过API创建的应用程序进行调用时,我成功地获得了令牌,如下所示:

POST https://srib2caadtenant.b2clogin.com/srib2caadtenant.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/oauth2/v2.0/token
client_id:appID
client_secret:secret
grant_type:client_credentials
scope: https://srib2caadtenant.onmicrosoft.com/api/.default



为了确认,我在jwt.ms网站中解码了上面的token,得到了下面Web API权限的**scp**claim:


参考:Set up OAuth 2.0 client credentials flow - Azure AD B2C | Microsoft

相关问题