我正在尝试从 azure AD 获取刷新令牌但收到此错误:-
data {“error”:“invalid_grant”,“error_description”:“AADSTS9002313:无效请求。请求格式错误或无效。 跟踪 ID:4bcb6e5e-35c1-4c4e-b184-d0ffddcc6301 关联 ID:689f7abd-13ef-41f9-b94a-4b2269bb7c32 时间戳:2023-03-03 11:15:39Z","error_codes":[9002313],"timestamp":"2023-03-03 11:15:39Z","trace_id":"4bcb6e5e-35c1-4c4e- b184-d0ffddcc6301","correlation_id":"689f7abd-13ef-41f9-b94a-4b2269bb7c32","error_uri":"https://login.microsoftonline.com/error?code=9002313"}
代码:
const http = require('http');
const url = require('url');
const hostname = '127.0.0.1';
const port = 3000;
const server = http.createServer((req, res) => {
res.statusCode = 200;
res.setHeader('Content-Type', 'text/plain');
let reqUrl = req.url;
let code1 = reqUrl.substring(reqUrl.indexOf("?code=") + 6, reqUrl.length);
let code=code1.split('&')[0];
// const tokenEndpoint = 'https://login.microsoftonline.com/common/oauth2/v2.0/token';
const clientId = <client id>;
const redirectUri = 'http://localhost:3000/callback'; // The URL to redirect to after login
const grantType = 'authorization_code';
const clientSecret = <client secret>;
const tokenRequest = {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: `grant_type=${grantType}&code=${code}&redirect_uri=${redirectUri}&client_id=${clientId}&client_secret=${clientSecret}`
};
let refreshToken;
fetch(tokenEndpoint, tokenRequest)
.then(response => response.json())
.then(data => {
refreshToken = data.refresh_token;
// Use the refresh token to request new access tokens as needed
})
.catch(error => {
// Handle error
res.end('error');
});
res.end(refreshToken);
});
server.listen(port, hostname, () => {
console.log(`Server running at http://${hostname}:${port}/`);
});
我尝试在我的环境中重现相同的内容并得到以下结果:
我注册了一个Azure AD应用程序并添加
API permissions
如下:
当我运行与您相同的代码来获取刷新令牌时,我得到了类似的错误如下所示:
const http = require('http');
const url = require('url');
const hostname = '127.0.0.1';
const port = 3000;
const server = http.createServer((req, res) => {
res.statusCode = 200;
res.setHeader('Content-Type', 'text/plain');
let reqUrl = req.url;
let code1 = reqUrl.substring(reqUrl.indexOf("?code=") + 6, reqUrl.length);
let code=code1.split('&')[0];
const tokenEndpoint = 'https://login.microsoftonline.com/common/oauth2/v2.0/token';
const clientId = <client id>;
const redirectUri = 'http://localhost:3000/callback'; // The URL to redirect to after login
const grantType = 'authorization_code';
const clientSecret = <client secret>;
const tokenRequest = {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: `grant_type=${grantType}&code=${code}&redirect_uri=${redirectUri}&client_id=${clientId}&client_secret=${clientSecret}`
};
let refreshToken;
fetch(tokenEndpoint, tokenRequest)
.then(response => response.json())
.then(data => {
refreshToken = data.refresh_token;
// Use the refresh token to request new access tokens as needed
})
.catch(error => {
// Handle error
res.end('error');
});
res.end(refreshToken);
});
server.listen(port, hostname, () => {
console.log(`Server running at http://${hostname}:${port}/`);
});
回复:
为了 resolve 错误,我显式生成了
code
值,并在获取令牌时将其作为参数包含在变量中。
我在浏览器中运行以下授权请求并在地址栏中获得
code
值,如下所示:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=<appID>
&response_type=code
&redirect_uri=http://localhost:3000/callback
&response_mode=query
&scope= https://graph.microsoft.com/.default
&state=12345
回复:
确保在生成刷新令牌时在
scope参数中传递offline_access
。
现在,我在 modified 代码下运行并在如下输出中成功获得 refresh token:
const axios = require('axios');
const qs = require('qs');
const TENANT_ID = 'common';
const CLIENT_ID = 'a3bebc65-2ba6-4f07-b633-xxxxxxxxxx';
const CLIENT_SECRET = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx';
const AUTHORIZATION_CODE = 'paste_code_from_above_request';
const REDIRECT_URI = 'http://localhost:3000/callback';
const SCOPE = 'https://graph.microsoft.com/.default offline_access';
const TOKEN_ENDPOINT = `https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token`;
const requestBody = qs.stringify({
code: AUTHORIZATION_CODE,
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
redirect_uri: REDIRECT_URI,
scope: SCOPE,
grant_type: 'authorization_code'
});
axios.post(TOKEN_ENDPOINT, requestBody, {
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
}
})
.then(response => {
console.log(response.data.refresh_token);
})
.catch(error => {
console.error(error);
});
回复:
为了确认,我通过邮递员在下面的参数中包含了上面的刷新令牌,并像这样成功地获得了访问令牌:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:<appID>
grant_type:refresh_token
scope: https://graph.microsoft.com/.default
redirect_uri: http://localhost:3000/callback
client_secret: <secret>
refresh_token: <paste_refresh_token_from_above_code_output>
回复: