Fatal编程技术网
  • azure/
  • 用于使用服务主体调用Azure Data Lake Storage Gen 2的REST API的OAuth令牌

用于使用服务主体调用Azure Data Lake Storage Gen 2的REST API的OAuth令牌

azure oauth

用于使用服务主体调用Azure Data Lake Storage Gen 2的REST API的OAuth令牌,azure,oauth,azure-storage,azure-rest-api,azure-data-lake-gen2,Azure,Oauth,Azure Storage,Azure Rest Api,Azure Data Lake Gen2,我正在开发一个应用程序(核心微服务之一),它将调用Azure ADLS Gen 2来存储文件(在文件系统中),以供其他组件进一步处理 我试图通过使用初步创建的服务主体调用Azure身份验证端点来获取用于身份验证目的的OAuth令牌 我用于创建服务主体的PowerShell代码: Add-AzAccount -Subscription <SUBSCRIPTION ID> $sp = New-AzADServicePrincipal -DisplayName <PRINCIPAL

我正在开发一个应用程序(核心微服务之一),它将调用Azure ADLS Gen 2来存储文件(在文件系统中),以供其他组件进一步处理

我试图通过使用初步创建的服务主体调用Azure身份验证端点来获取用于身份验证目的的OAuth令牌

我用于创建服务主体的PowerShell代码:

Add-AzAccount -Subscription <SUBSCRIPTION ID>
$sp = New-AzADServicePrincipal -DisplayName <PRINCIPAL NAME>
Sleep 20
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $sp.ApplicationId
$sp.ApplicationId
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$UnsecureSecret
标题

Content-Type: application/x-www-form-urlencoded

Authorization: Bearer <JWT token>
x-ms-date: Mon, 25 Nov 2019 12:00:00 GMT
x-ms-version: 2019-02-02
请求主体

grant_type:client_credentials
client_id: <Azure AD application client ID>
client_secret: <Azure AD application client secret>
scope: https://storage.azure.com/.default
我尝试了不同的范围,但没有帮助:

https://dfs.core.windows.net/.default
https://blob.core.windows.net/.default
我可以重现您的问题,
Contributor
RBAC角色就足够了,无需添加任何
API权限
,问题是由您请求令牌的方式引起的,在使用
v1.0
端点时,您需要使用
资源:https://storage.azure.com/

GET https://login.microsoftonline.com/<TENANT ID>/oauth2/token

grant_type:client_credentials
client_id: <Azure AD application client ID>
client_secret: <Azure AD application client secret>
resource: https://storage.azure.com/
测试:

嗯,我应该猜到)非常感谢! 
Authorization: Bearer <JWT token>
x-ms-date: Mon, 25 Nov 2019 12:00:00 GMT
x-ms-version: 2019-02-02

        {
            "error": {
                "code": "InvalidAuthenticationInfo",
                "message": "Server failed to authenticate the request.   
    Please refer to the information in the www-authenticate header.
\nRequestId:a6bf42d7-a01f-0006-1d88-a304da000000\nTime:2019-11-25T12:05:32.3049492Z"
            }
        }

https://dfs.core.windows.net/.default
https://blob.core.windows.net/.default

GET https://login.microsoftonline.com/<TENANT ID>/oauth2/token

grant_type:client_credentials
client_id: <Azure AD application client ID>
client_secret: <Azure AD application client secret>
resource: https://storage.azure.com/

GET https://login.microsoftonline.com/<TENANT ID>/oauth2/v2.0/token

grant_type:client_credentials
client_id: <Azure AD application client ID>
client_secret: <Azure AD application client secret>
scope: https://storage.azure.com/.default