问题
I've implemented Azure AD for a business (well, not quite finished!) with the purpose being that only those in the business can use it (they must be in the business' Active Directory). And there are special targeted roles (scopes) that only some users are assigned. And the REST endpoints are annotated with these scopes (in the @OAuthBearer(scope) that we've defined). If there is no special scope required for a given endpoint it is simply annotated with @OAuthBearer() to say company auth is required.
I've generally got this working, however when requesting auth_tokens for the API, scopes can't be empty. If there is an endpoint with no included scope then I've nothing to request an auth_token on. And its an error to have no scopes in the call to msal.js / acquireTokenSilent()
Because I'm using passport-azure-ad on the endpoint I need an auth_token.
What can I do? I don't want to define a scope just for this purpose. By virtue of being in the companies Active Directory they have access. To define that scope means assigning people this scope. That will never float with the business.
I tried to pass user.read (as I did to peform the login with msal.js / loginPopup(scopes) (though I found for loginPopup that a scope was optional)). But this scope returns a v1 token (most interestingly is that for loginPopup it returns a v2 token!). And then passport-azure-ad which requires V2 tokens throws an error.
I tried just passing the idToken from the login, however this is missing a scope and passport-azure-ad throws an error.
I tried /.default, my clientId and other things discussed but none work.
Has anyone any thoughts of possible solutions for this?
来源:https://stackoverflow.com/questions/56746473/azure-ad-a-scope-is-always-required-so-need-a-default-one