dqqyp90576 2017-06-06 15:55
浏览 60
已采纳

Active Directory OAuth 2.0 - 通过PHP请求授权代码而不是浏览器请求

I'm following this documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

Under, REQUEST AN AUTHORIZATION CODE, it gives a sample code involving an endpoint for OAuth 2.0. I've followed this structure to base my own request resembling: 

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=https://example.com
&response_mode=query
&resource=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345

During my tests, I've even tried (getting the request as bare as possible):

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code

Here's the interesting thing: If I access these domains through the browser, they return a "successful" call, like so:

https://example.com/?code=AOA...................................

However, I can't seem to get this same result (acquire a code) through a PHP workaround.

I've tried:

file_get_contents($my_url);

But all that returns is an error and a login page for Microsoft.

I've also tried doing so in cURL, but no luck.

Can anyone advise on how to replicate getting such a code (automatically)?

  • 写回答

2条回答 默认 最新

  • doulu4534 2017-06-07 05:44
    关注

    The need here was to access APIs as a user later as well.

    When you redeem an authorization code, you get an access token and a refresh token. The access token you attach to API calls, and expires in 1 hour by default. But the refresh token expires in 14 days by default, and can be used to get a new access token and refresh token. So you can have perpetual access as long as you use the refresh token to get new tokens always within 14 days.

    The user's access will be checked every time you refresh, so if their account is disabled or access is removed, you will get an error instead of new tokens.

    Short answer: you can't. To get an authorization code, you must redirect the browser so the user can sign in, go through MFA if necessary, sign in to their org local AD... As an end result, the user will be sent back to your app with the code, which you can then redeem for access tokens to APIs you want to call that are protected by Azure AD.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 NAO机器人的录音程序保存问题
  • ¥15 C#读写EXCEL文件,不同编译
  • ¥15 MapReduce结果输出到HBase,一直连接不上MySQL
  • ¥15 扩散模型sd.webui使用时报错“Nonetype”
  • ¥15 stm32流水灯+呼吸灯+外部中断按键
  • ¥15 将二维数组,按照假设的规定,如0/1/0 == "4",把对应列位置写成一个字符并打印输出该字符
  • ¥15 NX MCD仿真与博途通讯不了啥情况
  • ¥15 win11家庭中文版安装docker遇到Hyper-V启用失败解决办法整理
  • ¥15 gradio的web端页面格式不对的问题
  • ¥15 求大家看看Nonce如何配置