Graph msal acquireTokenSilent失败,静默身份验证被拒绝
我使用的是msal angular,我不能使用MsalInterceptor,因为它处理每个请求,而我希望它只处理图形请求。 因此,我试图在我的应用程序中自己获得一个令牌 我是这样做的: MsalModule的配置Graph msal acquireTokenSilent失败,静默身份验证被拒绝,graph,msal,Graph,Msal,我使用的是msal angular,我不能使用MsalInterceptor,因为它处理每个请求,而我希望它只处理图形请求。 因此,我试图在我的应用程序中自己获得一个令牌 我是这样做的: MsalModule的配置 MsalModule.forRoot({ auth: { clientId: 'xxxxxx', authority: 'https://login.microsoftonline.com/common', redirectUri: 'my_url',
MsalModule.forRoot({
auth: {
clientId: 'xxxxxx',
authority: 'https://login.microsoftonline.com/common',
redirectUri: 'my_url',
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: false, // set to true for IE 11
},
},
{
popUp: true,
consentScopes:[
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
],
}),
我正在这样登录:
this.msalService.loginPopup({scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]})
我正在拦截这样的登录成功
this.broadcastService.subscribe('msal:loginSuccess' ...
const result: AuthResponse = await this.msalService.acquireTokenSilent({scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]}).catch((error) => {
console.log(error);
});
const result: AuthResponse = await this.msalService.acquireTokenSilent({
scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]
}).catch((error) => {
if (error.name === "InteractionRequiredAuthError") {
return this.msalService.acquireTokenPopup({
scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]
})
}
});
return result.accessToken;
我想得到一个像这样的代币
this.broadcastService.subscribe('msal:loginSuccess' ...
const result: AuthResponse = await this.msalService.acquireTokenSilent({scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]}).catch((error) => {
console.log(error);
});
const result: AuthResponse = await this.msalService.acquireTokenSilent({
scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]
}).catch((error) => {
if (error.name === "InteractionRequiredAuthError") {
return this.msalService.acquireTokenPopup({
scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]
})
}
});
return result.accessToken;
我仍然收到这个错误:静默身份验证被拒绝。用户必须首先登录,并在需要时授予客户端应用程序对作用域“user.read calendars.read calendars.read.shared calendars.readwrite group.read.all openid profile”的访问权限。
这是我在Azure portal上的应用程序配置
我真的不明白这个问题是从哪里来的
谢谢你的帮助
[编辑]
当acquireTokenSilent像这样失败时,我可以通过调用acquireTokenPopup来获取访问令牌
this.broadcastService.subscribe('msal:loginSuccess' ...
const result: AuthResponse = await this.msalService.acquireTokenSilent({scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]}).catch((error) => {
console.log(error);
});
const result: AuthResponse = await this.msalService.acquireTokenSilent({
scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]
}).catch((error) => {
if (error.name === "InteractionRequiredAuthError") {
return this.msalService.acquireTokenPopup({
scopes: [
'user.read',
"calendars.read",
"calendars.read.shared",
"calendars.readwrite",
"group.read.all",
"openid",
"profile"
]
})
}
});
return result.accessToken;
}
它工作,但不断弹出一个窗口。
有人能给我解释一下原因吗
谢谢我有类似的问题,只需使用以下代码即可获得异常
this.broadcastService.subscribe('msal:acquireTokenFailure', (payload) => {
console.log(payload);
});
InteractionRequiredAuthError:静默身份验证被拒绝。用户必须首先登录,并在需要时授予客户端应用程序访问作用域的权限api://1cfd57f1-ad48-4396-b95c-7fa782a178b6/access_as_user openid配置文件'
文件中说:
InteractionRequiredAuthError:Error类,将ServerError扩展到
表示需要交互式调用的服务器错误。这个错误
如果需要用户交互,则由acquireTokenSilent引发
使用服务器为提供凭据或同意
认证/授权。错误代码包括
“需要交互”、“需要登录”和“需要同意”
对于使用重定向方法(LoginDirect、acquireTokenRedirect)的身份验证流中的错误处理,需要注册回调
因此,我将“this.msalService.loginDirect()”添加到回调方法以解决我的问题。我也不太明白,为什么要再次授予权限,但当man检查“MsalGuard”()的实现时,如果异常是通过获取令牌引发的,它将执行相同的代码“loginDirect”
顺便说一句,我还将客户端应用程序ID添加到我的API“Expose a API”中,以授权客户端而无需征得同意。我的应用程序最终修复了该异常
您必须强制执行同意弹出窗口来显示。 试试这个