AD登录 记录

AD登录
注册用户信息支持
Application (client) ID: 401e4b5432423423423

Object ID: 64cb2b21-3e41-4042342342222222

Directory (tenant) ID: 5ebe5d1f-trwer23r4324

secrect key: YNF2m_JHaX2432trewt23523trw

redirect_uri: http://localhost:8080/

SCOPE = "openid offline_access"
GRANT_TYPE = "authorization_code"

{"clientId":"401e4b54-bac2342rrwerrwet",
"tenantId":"5ebe5d1f-6ce7-4b79-a42322rwet23",
"secrectKey":"YNF2m_JHaX2y5ABma9q~r2r3rewr2342r",
"redirectUri":"http://localhost:8080/"}
1.授权码授权
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-44234r23tr23r
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read%20api%3A%2F%2F
&state=12345
&code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
&code_challenge_method=S256
tenant : {common，organizations，consumers}
client_id : Azure的门户网站-应用程序的注册体验到分配给您的应用程序id
response_type : code
redirect_uri : 注册的回调地址
scope : 
response_mode : query
state : 任意值

2.使用 client_secret 请求访问令牌
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong 
&client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps. This secret needs to be URL-Encoded.
响应
{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "token_type": "Bearer",
    "expires_in": 3599,
    "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
    "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}

3.token获取用户信息
GET or POST /oidc/userinfo HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Il…
响应
{
    "sub": "OLu859SGc2Sr9ZsqbkG-QbeLgJlb41KcdiPoLYNpSFA",
    "name": "Mikah Ollenburg", // names all require the “profile” scope.
    "family_name": " Ollenburg",
    "given_name": "Mikah",
    "email": "mikoll@contoso.com" //requires the “email” scope.
}

4.向目录管理员请求权限
https://login.microsoftonline.com/5ebe5d1f-6ce7-4b79-a8a7-66e17e0f791e/v2.0/adminconsent?
client_id=401e4b54-bac8-4240-9e90-e64fadaaddd9
&state=12345
&redirect_uri=http://localhost:8080/
&scope=openid%20offline_access

流程：
1.访问微软获取授权码（Acb账户）
2.通过授权码获取token
3.拿token访问Acb方做校验
4.通过token访问微软拿到用户信息与wallyt服务存储的用户做校验