【问题标题】:OAuth refresh_token call from Azure App Service returns Bad request来自 Azure 应用服务的 OAuth refresh_token 调用返回错误请求
【发布时间】:2021-08-17 09:09:46
【问题描述】:

我有一个调用 OAuth 2.0 来获取访问令牌的 Web Api

    var content = new FormUrlEncodedContent(new[]
        {
            new KeyValuePair<string, string>("client_id", _configuration["ClientId"]),
            new KeyValuePair<string, string>("grant_type", "refresh_token"),
            new KeyValuePair<string, string>("refresh_token", _configuration["RefreshToken"]),
            new KeyValuePair<string, string>("scope", "openid Mail.Send offline_access")
        });

        var tenantId = _configuration["TenantId"];

        try
        {
            var response = await _httpClient.PostAsync($"{tenantId}/oauth2/v2.0/token", content);

            var status = (int)response.StatusCode;

            if (status == 200)
            {
                var responseString = await response.Content.ReadAsStringAsync();
                var refreshTokenResponse = JsonSerializer.Deserialize<RefreshTokenResponse>(responseString);

                return refreshTokenResponse.AccessToken;
            }

            throw new Exception("Status " + status + " Content " + response?.Content +
                                " ReasonPhrase " + response.ReasonPhrase + 
                                " RequestMessage " + response.RequestMessage );

当我在本地运行它时,即使没有范围,这段代码也能正常工作。相同的代码在部署到 Azure(Azure 应用服务)时会失败。即使是邮递员电话,无论有没有范围都可以正常工作。

响应包含以下消息 {"error":"invalid_grant","error_description":"AADSTS53003: 条件访问策略已阻止访问。访问策略不允许颁发令牌

我尝试检查文档https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#refresh-the-access-token

不清楚为什么当我从本地机器和邮递员直接调用而不是从 Azure 应用服务进行调试时它会起作用。

我们将不胜感激任何帮助

【问题讨论】:

  • 您是否在 Azure 门户:Azure AD 租户 > 条件访问中查看了可能会干扰(已部署)Web 应用程序的策略?

标签: azure oauth-2.0 azure-active-directory azure-web-app-service


【解决方案1】:

您是否检查过此“Azure AD 租户 > 条件访问”以了解可能干扰(已部署)Web 应用程序的策略?正如Melissa建议的那样

您也可以尝试以下解决方法:

Access token request with a certificate

POST /{tenant}/oauth2/v2.0/token HTTP/1.1               // Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_id=97e0a5b7-d745-40b6-94fe-5f77d35c6e05
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of characters here}M8U3bSUKKJDEg
&grant_type=client_credentials

您可以参考Token access blocked when posting request from published Azure functionRefresh token for user with CA Policy applied in Azure AD failedConditional Access PolicyAADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. 的 GitHub 公开问题

【讨论】:

猜你喜欢
  • 2013-09-20
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2019-07-11
  • 2012-06-03
  • 2017-12-22
  • 1970-01-01
  • 2011-07-24
相关资源
最近更新 更多