dqqyp90576 2017-06-06 15:55
浏览 60
已采纳

Active Directory OAuth 2.0 - 通过PHP请求授权代码而不是浏览器请求

I'm following this documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

Under, REQUEST AN AUTHORIZATION CODE, it gives a sample code involving an endpoint for OAuth 2.0. I've followed this structure to base my own request resembling: 

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=https://example.com
&response_mode=query
&resource=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345

During my tests, I've even tried (getting the request as bare as possible):

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code

Here's the interesting thing: If I access these domains through the browser, they return a "successful" call, like so:

https://example.com/?code=AOA...................................

However, I can't seem to get this same result (acquire a code) through a PHP workaround.

I've tried:

file_get_contents($my_url);

But all that returns is an error and a login page for Microsoft.

I've also tried doing so in cURL, but no luck.

Can anyone advise on how to replicate getting such a code (automatically)?

  • 写回答

2条回答 默认 最新

  • doulu4534 2017-06-07 05:44
    关注

    The need here was to access APIs as a user later as well.

    When you redeem an authorization code, you get an access token and a refresh token. The access token you attach to API calls, and expires in 1 hour by default. But the refresh token expires in 14 days by default, and can be used to get a new access token and refresh token. So you can have perpetual access as long as you use the refresh token to get new tokens always within 14 days.

    The user's access will be checked every time you refresh, so if their account is disabled or access is removed, you will get an error instead of new tokens.

    Short answer: you can't. To get an authorization code, you must redirect the browser so the user can sign in, go through MFA if necessary, sign in to their org local AD... As an end result, the user will be sent back to your app with the code, which you can then redeem for access tokens to APIs you want to call that are protected by Azure AD.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 西门子S7-Graph,S7-300,梯形图
  • ¥50 用易语言http 访问不了网页
  • ¥50 safari浏览器fetch提交数据后数据丢失问题
  • ¥15 matlab不知道怎么改,求解答!!
  • ¥15 永磁直线电机的电流环pi调不出来
  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改