1. 技术文章
  2. JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token

JavaScript OAuth2 flow for Azure AD v2 login does not give an access_token

可紊 提交于 2019-12-13 03:44:25

问题


I'm using bell and hapijs and trying to get the office365 provider to work, but it seems like the https://login.microsoftonline.com/common/oauth2/v2.0/token endpoint isn't giving me the access_token required for getting profile information.

This is the OAuth 2.0 flow I'm seeing:

First it redirects to

https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=[client-id]
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A5430%2Fapi%2Fv1%2Flogin%2Fazure-ad
&state=[state]
&scope=openid%20offline_access%20profile

in oauth.js#L197

After a successful sign in from the Microsoft login, it redirects to the server and bell does a POST to https://login.microsoftonline.com/common/oauth2/v2.0/token with payload

{
  payload: 'grant_type=authorization_code&code=[code]&redirect_uri=http%3A%2F%2Flocalhost%3A5430%2Fapi%2Fv1%2Flogin%2Fazure-ad&client_id=[client-id]&client_secret=[client-secret]',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  }
}

in oauth.js#L242

This in turn gives me the following response

{
  "refresh_token": "MCTrMmd...",
  "id_token": "eyJ0eXAiOiJKV..."
}

From the OAuth 2.0 Authorization Code Flow documentation, it seems like I should be getting something more like

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "token_type": "Bearer",
    "expires_in": 3599,
    "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
    "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}

Specifically, I need an access_token, because the following profile get request (oauth.js#L270) requires it for

Authorization: 'Bearer ' + payload.access_token

Even in Calling /token endpoint does not give me an access_token, it seems like the /token request gets more fields in the response.

Is there something I'm missing in the request?


回答1:


Looking at your first request, it doesn't have the response_mode=query header, in contrast to the documentation:

In which it also states the expected successful response:

UPDATE: I was able to replicate this when I don't include the scope in the payload when trying to get the token:

Including the scope in the payload returns the access_token:




回答2:


The scopes openid, email, profile, and offline_access don't seem to return an access_token.

Adding the User.Read scope does provide an access_token.

For bell, you would need something like:

server.auth.strategy('office365', 'bell', {
    provider: 'office365',
    scope: [
        'User.Read'
    ],
    password: 'something',
    clientId: 'clientId',
    clientSecret: 'clientSecret',
});

Although, there are still issues with the endpoint that bell's office365 provider has, documented here: How do I get the logged in users profile for Azure AD OAuth logins?

Figured this out from the investigation in https://stackoverflow.com/a/49424859/111884.



来源:https://stackoverflow.com/questions/49405587/javascript-oauth2-flow-for-azure-ad-v2-login-does-not-give-an-access-token

标签
javascript
hapijs
azure-ad-b2c
msal
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!