AD登录
注册用户信息支持
Application (client) ID: 401e4b5432423423423
Object ID: 64cb2b21-3e41-4042342342222222
Directory (tenant) ID: 5ebe5d1f-trwer23r4324
secrect key: YNF2m_JHaX2432trewt23523trw
redirect_uri: http://localhost:8080/
SCOPE = "openid offline_access"
GRANT_TYPE = "authorization_code"
{"clientId":"401e4b54-bac2342rrwerrwet",
"tenantId":"5ebe5d1f-6ce7-4b79-a42322rwet23",
"secrectKey":"YNF2m_JHaX2y5ABma9q~r2r3rewr2342r",
"redirectUri":"http://localhost:8080/"}
1.授权码授权
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-44234r23tr23r
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read%20api%3A%2F%2F
&state=12345
&code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
&code_challenge_method=S256
tenant : {common,organizations,consumers}
client_id : Azure的门户网站-应用程序的注册体验到分配给您的应用程序id
response_type : code
redirect_uri : 注册的回调地址
scope :
response_mode : query
state : 任意值
2.使用 client_secret 请求访问令牌
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
&client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps. This secret needs to be URL-Encoded.
响应
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}
3.token获取用户信息
GET or POST /oidc/userinfo HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Il…
响应
{
"sub": "OLu859SGc2Sr9ZsqbkG-QbeLgJlb41KcdiPoLYNpSFA",
"name": "Mikah Ollenburg", // names all require the “profile” scope.
"family_name": " Ollenburg",
"given_name": "Mikah",
"email": "mikoll@contoso.com" //requires the “email” scope.
}
4.向目录管理员请求权限
https://login.microsoftonline.com/5ebe5d1f-6ce7-4b79-a8a7-66e17e0f791e/v2.0/adminconsent?
client_id=401e4b54-bac8-4240-9e90-e64fadaaddd9
&state=12345
&redirect_uri=http://localhost:8080/
&scope=openid%20offline_access
流程:
1.访问微软获取授权码(Acb账户)
2.通过授权码获取token
3.拿token访问Acb方做校验
4.通过token访问微软拿到用户信息与wallyt服务存储的用户做校验