从具有特定范围的Postman调用Azure WebApi

本文介绍了从具有特定范围的Postman调用Azure WebApi的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我使用Postman来测试Azure中托管的API.首先，我会得到一个这样的访问令牌

由于我使用的是Grant_type´client_credentials ，因此我必须使用这样的默认范围 api://my-app-id/.default`，如

请参阅本文档，并使用客户端凭据流获取访问令牌

2.然后，您可以通过共享密码来获取访问令牌:

POST/{tenant}/oauth2/v2.0/token HTTP/1.1//为了清晰起见，使用了换行符主机:login.microsoftonline内容类型:application/x-www-form-urlencodedclient_id = 535fb089-9ff3-47b6-9bfb-4f1264799865& scope = api://您的应用ID/.default& client_secret = qWgdYAmab0YSkuL1qKv5bPX& grant_type = client_credentials

解析令牌，您将看到自定义的角色:

尝试使用令牌访问您的API.

更新:

根据您的错误，存在用户交互，因此，如果要使用用户令牌，则不应使用客户端凭据流，而应使用

login.microsoftonline/{tenant}/oauth2/v2.0/authorize?client_id = 6731de76-14a6-49ae-97bc-6eba6914391e& response_type =代码& redirect_uri = http％3A％2F％2Flocalhost％2Fmyapp％2F& response_mode =查询& scope = api://11f5aca5-ba22-4b7b-8312-60a09aab7xxx/Files.Upload& state = 12345

POST/{tenant}/oauth2/v2.0/token HTTP/1.1主持人:login.microsoftonline内容类型:application/x-www-form-urlencodedclient_id = 6731de76-14a6-49ae-97bc-6eba6914391e& scope = api://11f5aca5-ba22-4b7b-8312-60a09aab7df5/Files.Upload& code = OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr ...& redirect_uri = http％3A％2F％2Flocalhost％2Fmyapp％2F& grant_type =授权码& client_secret = JqQX2PNo9bpM0uEihUPzyrh

解析令牌，您将看到自定义的 scp :

I use Postman to test my API hosted in Azure. First I get an Access Token like this

Since I use the grant_type ´client_credentialsI have to use the default scope like this api://my-app-id/.default` as explained here.

But one of the endpoint of my API requires a specific scope, so the call fails because my access token does not contain this scope.

How am I supposed to test from Postman with the required scope ?

解决方案

If you use Client Credential Flow to obtain an access token for an api protected by Azure, you must create an application and grant application permissions to the application (this is because Client Credential flow has no user interaction).

Then you need to define the application permissions by editing the list of api applications.here is an example.

Next, grant application permissions to the application:

Refer to this document and use Client Credential flow to get access token here:

1.First you need to get the administrator's consent:

GET login.microsoftonline/{tenant}/adminconsent? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &state=12345 &redirect_uri=localhost/myapp/permissions

2.Then you can get the access token by sharing the secret:

POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity Host: login.microsoftonline Content-Type: application/x-www-form-urlencoded client_id=535fb089-9ff3-47b6-9bfb-4f1264799865 &scope=api://your-app-id/.default &client_secret=qWgdYAmab0YSkuL1qKv5bPX &grant_type=client_credentials

Parse the token and you will see your custom roles:

Try using the token to access your API.

Update:

According to your mistakes, there is user interaction, so if you want to use a user token, you should not use Client Credential Flow but auth code flow, and grant client application Delegated permissions.

login.microsoftonline/{tenant}/oauth2/v2.0/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=query &scope=api://11f5aca5-ba22-4b7b-8312-60a09aab7xxx/Files.Upload &state=12345

POST /{tenant}/oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline Content-Type: application/x-www-form-urlencoded client_id=6731de76-14a6-49ae-97bc-6eba6914391e &scope=api://11f5aca5-ba22-4b7b-8312-60a09aab7df5/Files.Upload &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr... &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &grant_type=authorization_code &client_secret=JqQX2PNo9bpM0uEihUPzyrh

Parse the token and you will see your custom scp: