从 Azure AD 获取令牌,错误:AADSTS50148:code_verifier 与 PKCE 授权请求中提供的 code_challenge 不匹配

问题描述 投票:0回答:1

希望你们度过愉快的一天!,

我正在学习如何使用 azure 登录,现在,弹出窗口和身份验证都正常(我相信呵呵),并且我收到了身份验证的 

code
响应

现在,我需要获取

accessToken
,这样我就可以获取用户数据(来自登录者),我尝试使用以下代码:

var requestParams: any = {
          client_id: "0b585496-xxxx-xxxx-xxxx-c0468796e718",
          scope: "User.Read",
          code: props.code, <-- this from `code` response
          redirect_uri: "myapp://login",
          grant_type: "authorization_code",
        };

        var formBody: any = [];
        for (var p in requestParams) {
          var encodedKey = encodeURIComponent(p);
          var encodedValue = encodeURIComponent(requestParams[p]);
          formBody.push(encodedKey + "=" + encodedValue);
        }

        formBody = formBody.join("&");

        /* make a POST request using fetch and the body params we just setup */
        let tokenResponse: any = null;
        fetch(
          `https://login.microsoftonline.com/afdb7f3a-xxxx-xxxx-xxxx-4d604512e9f0/oauth2/v2.0/token`,
          {
            method: "POST",
            headers: {
              "Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
            },
            body: formBody,
          }
        )
          .then((response) => response.json())
          .then((response) => {
            tokenResponse = response;
            console.log(response);
          })
          .catch((error) => {
            console.error(error);
          });

我收到此错误:

Object {
  "correlation_id": "94961159-xxxx-xxxx-xxxx-0c400f7d11e8",
  "error": "invalid_grant",
  "error_codes": Array [
    50148,
  ],
  "error_description": "AADSTS50148: The code_verifier does not match the code_challenge supplied in the authorization request for PKCE.
Trace ID: dc2ba549-xxxx-xxxx-xxxx-8f961e9ba600
Correlation ID: 94961159-xxxx-xxxx-xxxx-0c400f7d11e8
Timestamp: 2022-07-21 05:25:40Z",
  "error_uri": "https://login.microsoftonline.com/error?code=50148",
  "timestamp": "2022-07-21 05:25:40Z",
  "trace_id": "dc2ba549-909b-4446-8bb7-8f961e9ba600",
}

不知道为什么我无法获取 accessToken,我的 

code
看起来像: 
0.AVUAOn_br_87QEeWJE1gRRLp8....oFkTkxc1DEhW31aXzd7IcylyCvaK2kjSR2XcDCsvHKUVubYiPCXjwY-D8SzZz883EhgZT8vx1mostM-_

你们知道我的代码有什么问题吗? :(

authentication azure-active-directory token
1个回答
1
投票

要解决错误 “AADSTS50148:code_verifier 与 PKCE 授权请求中提供的 code_challenge 不匹配”,请尝试以下操作:

根据您给出的代码:

client_id: "0b585496-xxxx-xxxx-xxxx-c0468796e718",
scope: "User.Read",
code: props.code, <-- this from `code` response
redirect_uri: "myapp://login",
grant_type: "authorization_code",

假设您从 

auth
端点生成代码,请确保 
code
 参数的值正确。

确保对 

auth
端点生成授权代码的请求如下所示:

GET https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?  
response_type=code  
&client_id=Client_ID
&scope=Your_scope 
&redirect_uri=Your_Redirect_URI 
&code_challenge=Your_code_challenge
&code_challenge_method=S256

要生成 

code_challenge
,您可以使用 PKCE 生成器工具,如下所示:

enter image description here

我可以使用上述端点从 PKCE 流的浏览器生成代码值

enter image description here

我能够从 Postman 成功生成访问令牌,如下所示:

enter image description here

要了解更多详细信息,您可以参考以下链接了解如何以编程方式执行此操作:

如何使用PKCE执行Auth Code | Azure Active Directory 开发人员支持团队,作者:Bac Hoang [MSFT]

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.