我能够使用 Powershell MSAL 4.37.0 和 ClientCertificate 成功检索 Sharepoint Online 的令牌。我未能成功做到的是通过权威。当我将 Authority 作为参数传递给 New-MsalClientApplication/Get-MsalClientApplication 或 Get-MsalToken 时,它似乎忽略了该参数。 Get-MsalToken 仍然成功运行,但我无法确定它使用什么作为其端点。
我正在使用 Powershell 来测试功能和我的设置,因为我似乎无法让它与 NODE.js 一起工作,并且我仍然遇到与权威机构有关的问题。由于它可以在 Powershell 中成功运行,看来我的所有其他配置都已正确设置,我只需要验证权限即可。我的权限设置为 $authority = "https://login.microsoftonline.com/" + $tenantID + '/oauth2/v2.0/token'。
$certStorePath = "cert:\LocalMachine\TrustedPublisher";
$certDetails = Get-ChildItem -Path $certStorePath | Where {$_.Issuer -like "*selfsigned*"}
$thumbPrint = $certDetails.Thumbprint;
$ClientCertificate = Get-Item "Cert:\LocalMachine\TrustedPublisher\$($thumbPrint)";
$ClientCertificate.GetType();
$MsalClientApplication = New-MsalClientApplication -ClientId $appID -ClientCertificate $ClientCertificate -TenantId $tenant;
try
{
$msalToken = $MsalClientApplication | Get-MsalToken -Authority $authority -Scope $scope;
$msalToken.AccessToken | Get-JWTDetails;
}
catch
{
Write-Host $_.Exception | format-list -force
}
关于如何使 -Authority 参数起作用(从而在更改 Authority 值时成功或失败)或将 Authority 作为属性从令牌返回以便我可以验证 Authority 是否正确,有什么想法吗?
谢谢,克林特
关于如何使 -Authority 参数起作用(从而在更改 Authority 值时成功或失败)或将 Authority 作为属性从令牌返回以便我可以验证 Authority 是否正确,有什么想法吗?
要检查或获取权限并验证权限是否正确,请检查以下内容:
例如,我通过传递
TenantID
: 生成了访问令牌
作为解决方法,您可以在生成访问令牌时传递
TenantID
$msalToken = Get-MsalToken -ClientId 'ClientID' -ClientSecret (ConvertTo-SecureString 'ClientSecret' -AsPlainText -Force) -TenantId 'TenantID' -Scope 'https://microsoft.sharepoint.com/.default'
$msalToken
现在要检查权限,您可以使用以下函数解码访问令牌:
function Parse-JWTtoken {
[cmdletbinding()]
param([Parameter(Mandatory=$true)][string]$token)
#Validate as per https://tools.ietf.org/html/rfc7519
#Access and ID tokens are fine, Refresh tokens will not work
if (!$token.Contains(".") -or !$token.StartsWith("eyJ")) { Write-Error "Invalid token" -ErrorAction Stop }
#Header
$tokenheader = $token.Split(".")[0].Replace('-', '+').Replace('_', '/')
#Fix padding as needed, keep adding "=" until string length modulus 4 reaches 0
while ($tokenheader.Length % 4) { Write-Verbose "Invalid length for a Base-64 char array or string, adding ="; $tokenheader += "=" }
Write-Verbose "Base64 encoded (padded) header:"
Write-Verbose $tokenheader
#Convert from Base64 encoded string to PSObject all at once
Write-Verbose "Decoded header:"
[System.Text.Encoding]::ASCII.GetString([system.convert]::FromBase64String($tokenheader)) | ConvertFrom-Json | fl | Out-Default
#Payload
$tokenPayload = $token.Split(".")[1].Replace('-', '+').Replace('_', '/')
#Fix padding as needed, keep adding "=" until string length modulus 4 reaches 0
while ($tokenPayload.Length % 4) { Write-Verbose "Invalid length for a Base-64 char array or string, adding ="; $tokenPayload += "=" }
Write-Verbose "Base64 encoded (padded) payoad:"
Write-Verbose $tokenPayload
#Convert to Byte array
$tokenByteArray = [System.Convert]::FromBase64String($tokenPayload)
#Convert to string array
$tokenArray = [System.Text.Encoding]::ASCII.GetString($tokenByteArray)
Write-Verbose "Decoded array in JSON format:"
Write-Verbose $tokenArray
#Convert from JSON to PSObject
$tokobj = $tokenArray | ConvertFrom-Json
Write-Verbose "Decoded Payload:"
return $tokobj
}
现在按如下方式解码访问令牌并检查
iss
声明以检查权限:
如果问题仍然存在,请检查以下内容: