搭建 ADFS 之后,默認(rèn)已經(jīng)開(kāi)啟了 Oauth2.0.
注意添加或者使用已有的 信賴(lài)方信任 , 增加一個(gè)自己的標(biāo)識(shí)符
參考 https://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html
http://www.gi-architects.co.uk/2016/04/setup-oauth2-on-adfs-3-0/
如果遇到:
error=invalid_resource&error_description=MSIS9602%3a+The+received+%27resource%27+parameter+is+invalid.+The+authorization+server+can+not+find+a+registered+resource+with+the+specified+identifier.
說(shuō)明 未信任 或者 標(biāo)識(shí)符傳錯(cuò)了
以下為具體的實(shí)驗(yàn)過(guò)程:
powershell Add-ADFSClient -Name "OAUTH2 Test Client" -ClientId "todd" -RedirectUri "http://192.168.0.20:3000/getAToken"
https://win-r9jnunkcelj.rinsys.com/adfs/oauth2/authorize?response_type=code&client_id=todd&resource=urn%3Arelying%3Aparty%3Atrust%3Aidentifier&redirect_uri=http%3A%2F%2F192.168.0.20%3A3000%2FgetAToken
->
https://win-r9jnunkcelj.rinsys.com/adfs/oauth2/authorize?response_type=code&client_id=todd&resource=urn:relying:party:trust:identifier&redirect_uri=http://192.168.0.20:3000/getAToken
發(fā)送
POST /adfs/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: your.adfs.server
Content-Length: <some number>
grant_type=authorization_code&client_id=some-uid-or-other&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FgetAToken&code=thecode
遇到錯(cuò)誤:
{
"error": "invalid_request",
"error_description": "MSIS9609: The 'redirect_uri' parameter is invalid. No redirect uri with the specified value is registered for the received 'client_id'. "
}
特么的 竟然是因?yàn)?URL encode 了 redirect_uri . 因?yàn)槭?POST,不用encode 這個(gè)參數(shù).
5.獲取Token:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjBzTVZIOXlVdFlyaFhCd0hOcTdRejZrRm5XZyJ9.eyJhdWQiOiJ1cm46cmVseWluZzpwYXJ0eTp0cnVzdDppZGVudGlmaWVyIiwiaXNzIjoiaHR0cDovL1dJTi1SOUpOVU5LQ0VMSi5yaW5zeXMuY29tL2FkZnMvc2VydmljZXMvdHJ1c3QiLCJpYXQiOjE1NjE0NTQzOTQsImV4cCI6MTU2MTQ1Nzk5NCwidXBuIjoiQWRtaW5pc3RyYXRvckByaW5zeXMuY29tIiwidWlkIjoiQWRtaW5pc3RyYXRvciIsInN1YiI6ImFkbWluaXN0cmF0b3JAcmluc3lzLmNvbSIsImF1dGhfdGltZSI6IjIwMTktMDYtMjVUMDk6MDA6MzAuMTAyWiIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsInZlciI6IjEuMCIsImFwcGlkIjoidG9kZCJ9.R7YOyp986M6sYPrjyCI5JAVEZ0XTat9i89Hi8PeV4xQbe5NLrjO6CqpN2v_C_sCj5PgGyBMkAHKX4Bgyf3s4eisilrsU7t08td2nYU05rzHL8IHF_Emv0B2s0OsbY5kkACI8iYAW0rQ7ZpfUitWgygTR-GtvBnZfAfn65OpEX87Gt_x6hXL88Oacia9Le1tBFX3MiK3ShrsIv4LrSaFw5HxfN_yfieZqxndmuXOL3tcna1jyamUdmMa4WcfdNwSRlxwVlUZvbGYxSHXgSwfUvak_zkekAEFI5QtNup85ZBp1JPehlXePOBLJ_ZGErIbt-5lmHT6uX2H--qKGEFbYeg",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "_bhAioyNOFP-uPNqFdMUf3SW4RIyMaRcW1uFsnTohr4AAQAAKHBS9_LiM8OMqOH7mNv6JT_D1fm3LilU-bJGPi-6uHvW-mSkDHqgqy2JhdAocmsNZ08Duzcf6PV5pO9Z-CX-4EvuYTC7silc043QLXl1MOOxhw2V5sC6hrjO5BsUWXLRoGKerWrCAaW1TwS1bb9G1XtTgGigX2UjvcN8Z0u9_RV-"
}
