从 Azure AD 获取刷新令牌时出错

问题描述 投票:0回答:1

我正在尝试从 azure AD 获取刷新令牌但收到此错误:-

data {“error”:“invalid_grant”,“error_description”:“AADSTS9002313:无效请求。请求格式错误或无效。 跟踪 ID:4bcb6e5e-35c1-4c4e-b184-d0ffddcc6301 关联 ID:689f7abd-13ef-41f9-b94a-4b2269bb7c32 时间戳:2023-03-03 11:15:39Z","error_codes":[9002313],"timestamp":"2023-03-03 11:15:39Z","trace_id":"4bcb6e5e-35c1-4c4e- b184-d0ffddcc6301","correlation_id":"689f7abd-13ef-41f9-b94a-4b2269bb7c32","error_uri":"https://login.microsoftonline.com/error?code=9002313"}

代码:

const http = require('http');
const url = require('url');
const hostname = '127.0.0.1';
const port = 3000;


const server = http.createServer((req, res) => {
  res.statusCode = 200;
  res.setHeader('Content-Type', 'text/plain');


    let reqUrl = req.url;
   let code1 = reqUrl.substring(reqUrl.indexOf("?code=") + 6, reqUrl.length);
   let code=code1.split('&')[0];

        // const tokenEndpoint = 'https://login.microsoftonline.com/common/oauth2/v2.0/token';
        const clientId = <client id>;
        const redirectUri = 'http://localhost:3000/callback'; // The URL to redirect to after login
        const grantType = 'authorization_code';
        const clientSecret = <client secret>;
        
        
        const tokenRequest = {
          method: 'POST',
          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
          body: `grant_type=${grantType}&code=${code}&redirect_uri=${redirectUri}&client_id=${clientId}&client_secret=${clientSecret}`
        };

    let refreshToken;   
  
  fetch(tokenEndpoint, tokenRequest)
  .then(response => response.json())
  .then(data => {
    refreshToken = data.refresh_token;
    // Use the refresh token to request new access tokens as needed
  })
  .catch(error => {
    // Handle error
res.end('error');
  });

  res.end(refreshToken);
});

server.listen(port, hostname, () => {
  console.log(`Server running at http://${hostname}:${port}/`);
});
node.js azure oauth-2.0 azure-active-directory refresh-token
1个回答
0
投票

我尝试在我的环境中重现相同的内容并得到以下结果:

我注册了一个Azure AD应用程序并添加

API permissions
如下:

enter image description here

当我运行与您相同的代码来获取刷新令牌时,我得到了类似的错误如下所示:

const http = require('http');
const url = require('url');
const hostname = '127.0.0.1';
const port = 3000;


const server = http.createServer((req, res) => {
  res.statusCode = 200;
  res.setHeader('Content-Type', 'text/plain');


    let reqUrl = req.url;
   let code1 = reqUrl.substring(reqUrl.indexOf("?code=") + 6, reqUrl.length);
   let code=code1.split('&')[0];

        const tokenEndpoint = 'https://login.microsoftonline.com/common/oauth2/v2.0/token';
        const clientId = <client id>;
        const redirectUri = 'http://localhost:3000/callback'; // The URL to redirect to after login
        const grantType = 'authorization_code';
        const clientSecret = <client secret>;
        
        
        const tokenRequest = {
          method: 'POST',
          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
          body: `grant_type=${grantType}&code=${code}&redirect_uri=${redirectUri}&client_id=${clientId}&client_secret=${clientSecret}`
        };

    let refreshToken;   
  
  fetch(tokenEndpoint, tokenRequest)
  .then(response => response.json())
  .then(data => {
    refreshToken = data.refresh_token;
    // Use the refresh token to request new access tokens as needed
  })
  .catch(error => {
    // Handle error
res.end('error');
  });

  res.end(refreshToken);
});

server.listen(port, hostname, () => {
  console.log(`Server running at http://${hostname}:${port}/`);
});

回复:

enter image description here

为了 resolve 错误,我显式生成了 

code
值,并在获取令牌时将其作为参数包含在变量中。

我在浏览器中运行以下授权请求并在地址栏中获得

code
值,如下所示:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize? 
client_id=<appID>
&response_type=code  
&redirect_uri=http://localhost:3000/callback
&response_mode=query  
&scope= https://graph.microsoft.com/.default 
&state=12345

回复:

enter image description here

确保在生成刷新令牌时在

scope
参数中传递offline_access

现在,我在 modified 代码下运行并在如下输出中成功获得 refresh token

const axios = require('axios');
const qs = require('qs');

const TENANT_ID = 'common';
const CLIENT_ID = 'a3bebc65-2ba6-4f07-b633-xxxxxxxxxx';
const CLIENT_SECRET = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx';
const AUTHORIZATION_CODE = 'paste_code_from_above_request';
const REDIRECT_URI = 'http://localhost:3000/callback';
const SCOPE = 'https://graph.microsoft.com/.default offline_access';

const TOKEN_ENDPOINT = `https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token`;

const requestBody = qs.stringify({
  code: AUTHORIZATION_CODE,
  client_id: CLIENT_ID,
  client_secret: CLIENT_SECRET,
  redirect_uri: REDIRECT_URI,
  scope: SCOPE,
  grant_type: 'authorization_code'
});

axios.post(TOKEN_ENDPOINT, requestBody, {
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  }
})
  .then(response => {
    console.log(response.data.refresh_token);
  })
  .catch(error => {
    console.error(error);
  });

回复:

enter image description here

为了确认,我通过邮递员在下面的参数中包含了上面的刷新令牌,并像这样成功地获得了访问令牌

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:<appID>
grant_type:refresh_token
scope: https://graph.microsoft.com/.default
redirect_uri: http://localhost:3000/callback
client_secret: <secret>
refresh_token: <paste_refresh_token_from_above_code_output>

回复:

enter image description here

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.