我有一个SPA应用程序,试图登录到Azure AD使用' Azure/microsoft -browser' reactjs包。
应用程序在Azure应用程序注册时设置为使用单个租户身份验证。authConfig.js
文件也设置为使用单租户身份验证,但我一直得到错误:
AADSTS50194: Application 'xxxxxxxx' is not configured as a multi-tenant application
我发现了类似的帖子,但都指向设置权限参数,我已经做了。
我试图实现的场景是页面重定向静默登录。这是我基于我的实现的官方示例。
下面是创建的步骤:
安装msal-browser
根据你的应用注册配置AuthConfig.js文件:
const msalConfig = { auth: { clientId: "Application (client) ID", authority: "https://login.microsoftonline.com/<Directory (tenant) ID>/", redirectUri: "<app url(must be a allowed URL redirect for SPA application type)>" }, ... export const loginRequest = { scopes: ["openid", "User.Read"] };
获取令牌的代码:
import { PublicClientApplication } from "@azure/msal-browser"; import { loginRequest} from "../../authConfig"; // this is my simplified version of the method `getTokenRedirect` present in the sample. export const acquireIdToken = async (msalInstanceParam) => { const msalInstance = new PublicClientApplication(loginRequest); const activeAccount = msalInstance.getActiveAccount(); const accounts = msalInstance.getAllAccounts(); const request = { scopes: ["User.Read"], account: activeAccount || accounts[0] }; const authResult = await msalInstance.acquireTokenSilent(request);//throws http code 400 error with message 'AADSTS50194 ...' return authResult.idToken };
有趣的是,我能够成功登录,被重定向到SPA应用程序,获得令牌,从令牌检索用户名,但由于某种原因,应用程序调用https://login.microsoftonline.com/common/oauth2/v2.0/token,我在控制台中得到此错误。
什么线索吗?
浏览器日志(已更新):
[HMR] Waiting for update signal from WDS...
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - useAccount - Updating account
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-browser@2.22.1 : Info - Emitting event: msal:handleRedirectStart
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - MsalProvider - msal:handleRedirectStart results in setting inProgress from startup to handleRedirect
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : [78728aa2-9ecd-4399-994a-4d8ab8801b13] : msal.js.browser@2.22.1 : Info - handleRedirectPromise called but there is no interaction in progress, returning null.
RequestInterceptor.tsx:27 Wrapped Fetch started for resource planning
GetToken.js:22 acquire token ...
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - useAccount - Updating account
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-browser@2.22.1 : Info - Emitting event: msal:handleRedirectEnd
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - MsalProvider - msal:handleRedirectEnd results in setting inProgress from handleRedirect to none
RequestInterceptor.tsx:27 Wrapped Fetch started for resource https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize
authConfig.js:36 [Thu, 23 Jun 2022 17:09:59 GMT] : @azure/msal-react@1.3.1 : Info - useAccount - Updating account
RequestInterceptor.tsx:27 Wrapped Fetch started for resource https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
RequestInterceptor.tsx:27 Wrapped Fetch started for resource https://login.microsoftonline.com/common/oauth2/v2.0/token
RequestInterceptor.tsx:33
RequestInterceptor.tsx:33 POST https://login.microsoftonline.com/common/oauth2/v2.0/token 400 (Bad Request)
显然,通过检查日志,端点发现提供了覆盖设置的权限url:
https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize
首先,权限需要针对organizations
(用于工作或学生帐户)或common
(用于所有上述帐户和个人帐户)端点,而不是特定于租户。例如
{
authority: "https://login.microsoftonline.com/organizations/",
// authority: "https://login.microsoftonline.com/common/",
}
最后,您需要将应用程序注册配置为多租户。更新其应用程序清单并确保signInAudience
设置为AzureADMultipleOrgs
或AzureADandPersonalMicrosoftAccount
。后者需要将accessTokenAcceptedVersion
设置为2
。