有没有办法通过Microsoft身份平台同时包含登录和同意提示?
文档没有明确提到对多个提示值的支持: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
我尝试了这个带有空格分隔的登录和同意值的PowerShell脚本。空格编码为"%20",例如,prompt=login%20consent。
$clientId = "MyClientId
Start-Process "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=$clientId&scope=openid%20profile%20https://ads.microsoft.com/ads.manage%20offline_access&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&state=ClientStateGoesHere&prompt=login%20consent"
$code = Read-Host "Grant consent in the browser, and then enter the code here (see ?code=UseThisCode&...)"
Write-Output "code: " $code
$response = Invoke-WebRequest https://login.microsoftonline.com/common/oauth2/v2.0/token -ContentType application/x-www-form-urlencoded -Method POST -Body "client_id=$clientId&scope=https://ads.microsoft.com/ads.manage%20offline_access&code=$code&grant_type=authorization_code&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient"
$oauthTokens = ($response.Content | ConvertFrom-Json)
Write-Output "Access token: " $oauthTokens.access_token
Write-Output "Access token expires in: " $oauthTokens.expires_in
Write-Output "Refresh token: " $oauthTokens.refresh_token
这会导致不受支持的提示错误:
Request Id: 9e072f53-23f2-4317-9dda-240e18c15c00
Correlation Id: f7a29334-c4e3-40d4-9810-c22f6a78c4d9
Timestamp: 2020-01-31T15:57:50Z
Message: AADSTS90023: Unsupported 'prompt' value.
通过实时端点,我可以包含空格分隔的登录和同意提示。空格编码为"%20",例如,prompt=login%20consent。此 PowerShell 脚本会按预期提示登录和同意。
$clientId = "MyClientId"
Start-Process "https://login.live.com/oauth20_authorize.srf?client_id=$clientId&scope=bingads.manage&response_type=code&redirect_uri=https://login.live.com/oauth20_desktop.srf&prompt=login%20consent"
$code = Read-Host "Grant consent in the browser, and then enter the code here (see ?code=UseThisCode&...)"
$response = Invoke-WebRequest https://login.live.com/oauth20_token.srf -ContentType application/x-www-form-urlencoded -Method POST -Body "client_id=$clientId&scope=bingads.manage&code=$code&grant_type=authorization_code&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf"
$oauthTokens = ($response.Content | ConvertFrom-Json)
Write-Output "Access token: " $oauthTokens.access_token
Write-Output "Access token expires in: " $oauthTokens.expires_in
Write-Output "Refresh token: " $oauthTokens.refresh_token
如错误所示,当前不支持同时设置登录和同意提示。
根据设计原则,当你的资源与 Azure Active Directory 集成时,将使用 Azure AD 同意框架请求访问它们的权限。
这会导致在首次使用应用程序时显示同意提示,这通常是一次性操作。
因此,无需在请求中添加同意提示,以便在用户每次登录后触发 OAuth 同意对话框。
强制输入用户名和密码可能有意义,但在每次登录后强制同意则不然。