我正在使用 passport-azure-ad 库为我的 Azure 应用程序对 Azure AD 进行 SSO。以下是选项对象:
const options = {
identityMetadata: process.env.AZUREAD_IDENTITY_METADATA,
clientID: process.env.AZUREAD_AUTH_CLIENT_ID,
responseType: 'code id_token',
responseMode: 'form_post',
redirectUrl: process.env.AZUREAD_REDIRECT_URL,
allowHttpForRedirectUrl: true,
clientSecret: process.env.AZUREAD_AUTH_CLIENT_SECRET,
validateIssuer: false,
issuer: null,
passReqToCallback: true,
useCookieInsteadOfSession: true,
cookieEncryptionKeys: [
{ key: '********************************', iv: '************' },
{ key: '********************************', iv: '************' },
],
scope: ['profile', 'offline_access', 'https://graph.microsoft.com/mail.read'],
loggingLevel: 'info',
nonceLifetime: null,
nonceMaxAmount: 5,
clockSkew: null,
};
从 AD 回调获取授权代码 (req.body.code) 后,我使用它来使用 adal-node 库检索我的应用程序的访问令牌。相关代码片段 -
const authenticationContext = new AuthenticationContext(
`https://login.microsoftonline.com/<tenant>.onmicrosoft.com`,
);
authenticationContext.acquireTokenWithAuthorizationCode(
req.body.code,
process.env.AZUREAD_REDIRECT_URL,
process.env.AZUREAD_AUTH_CLIENT_ID,
process.env.AZUREAD_AUTH_CLIENT_ID,
process.env.AZUREAD_AUTH_CLIENT_SECRET,
function(err, response) {
let message = '';
if (err) {
message = 'error: ' + err.message + '\n';
}
message += 'response: ' + JSON.stringify(response);
if (err) {
console.log(message);
return;
}
...
但是这种方法会导致以下错误:
"error": "invalid_grant",
"error_description": "AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: 539cdaf3-460d-43fa-b4bb-6f23a8058800\r\nCorrelation ID: 507aafd9-5a4a-4417-b1f8-9fe4a5bc4cd3\r\nTimestamp: 2020-02-28 13:10:27Z",
"error_codes": [
54005
],
还尝试根据文档检索访问令牌(https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code#use-the-authorization-code-to -request-an-access-token)使用邮递员,但这也会导致同样的错误。
请帮助我找出这里的错误。