我一直在尝试从Flask迁移Web应用程序以做出响应,但是我在获取有效的访问令牌时遇到了麻烦。在Flask中,我使用adal并具有以下代码:
authority_host_uri = 'https://login.microsoftonline.com'
tenant = '<my tenant id>'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '<my client id>'
client_secret = '<my client secret>'
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(resource_uri, client_id, client_secret)
回复是
{'tokenType': 'Bearer',
'expiresIn': 3599,
'expiresOn': '2020-05-27 18:22:07.128189',
'resource': 'https://management.core.windows.net/',
'accessToken':'<the access token that was needed>'
'isMRRT': True,
'_clientId': '<client id info>',
'_authority': '<authority above>'}
但是,当我试图在React中的msal中实现相同的东西时,我从中获得的访问令牌
const tokenRequest = {
scopes: [clientId + "/user_impersonation"]
};
const response = await myMSALObj.acquireTokenSilent(tokenRequest)
无效,因为它将从Azure目录API收到403错误,因为我从Flask获取的访问令牌工作得很好。是否存在不同类型的访问令牌,或者是由于作用域的缘故?是否可以做与adal在Flask中做的完全一样的事情(例如,无需指定范围,只需使用客户端机密来获取正确的访问密钥?)
范围不正确。您要访问此资源https://management.core.windows.net/
范围应该是:
scopes: ["https://management.core.windows.net/.default"]
参考: