使用 OAuth 2.0 代码授权流来授权访问 Azure Active Directory Web 应用程序Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow

Azure Active Directory (Azure AD) 使用 OAuth 2.0,使你能够授权访问 Azure AD 租户中的 Web 应用程序和 Web API。Azure Active Directory (Azure AD) uses OAuth 2.0 to enable you to authorize access to web applications and web APIs in your Azure AD tenant. 本指南与语言无关,介绍在不使用我们的开放源代码库的情况下,如何发送和接收 HTTP 消息。This guide is language independent, and describes how to send and receive HTTP messages without using any of our open-source libraries.

OAuth 2.0 规范第 4.1 部分描述了 OAuth 2.0 授权代码流。The OAuth 2.0 authorization code flow is described in section 4.1 of the OAuth 2.0 specification. 它用于在大多数应用程序类型(包括 Web 应用和本机安装的应用)中执行身份验证与授权。It is used to perform authentication and authorization in most application types, including web apps and natively installed apps.

将应用程序注册到 AD 租户Register your application with your AD tenant

首先,需要将应用程序注册到 Azure Active Directory (Azure AD) 租户。First, you need to register your application with your Azure Active Directory (Azure AD) tenant. 这会为应用程序分配一个应用程序 ID,并且使该应用程序可以接收令牌。This will give you an Application ID for your application, as well as enable it to receive tokens.

  • 登录到 Azure 门户Sign in to the Azure portal.
  • 通过以下方式选择 Azure AD 租户:在页面右上角单击你的帐户,单击“切换目录”导航,然后选择合适的租户。Choose your Azure AD tenant by clicking on your account in the top right corner of the page, followed by clicking on the Switch Directory navigation and then select the appropriate tenant.
    • 如果你的帐户下只有一个 Azure AD 租户,或者已选择了合适的 Azure AD 租户,请跳过此步骤。Skip this step, if you've only one Azure AD tenant under your account or if you've already selected the appropriate Azure AD tenant.
  • 在左侧的导航窗格中,单击“Azure Active Directory”。In the left hand navigation pane, click on Azure Active Directory.
  • 单击“应用注册”并单击“新建应用程序注册”。Click on App Registrations and click on New application registration.
  • 根据提示创建新的应用程序。Follow the prompts and create a new application. 本教程简要介绍了 Web 应用程序和本机应用程序的操作步骤,如果想要查看 Web 应用程序或本机应用程序的具体示例,请参阅快速入门It doesn't matter if it is a web application or a native application for this tutorial, but if you'd like specific examples for web applications or native applications, check out our quickstarts.
    • 对于 Web 应用程序,请在用户登录页面(如 http://localhost:12345)提供“登录 URL”,即应用的基 URL。For Web Applications, provide the Sign-On URL, which is the base URL of your app, where users can sign in e.g http://localhost:12345.
    • 对于本机应用程序,请提供“重定向 URI”,Azure AD 将用其返回令牌响应。For Native Applications provide a Redirect URI, which Azure AD will use to return token responses. 输入特定于应用程序的值,例如 http://MyFirstAADAppEnter a value specific to your application, .e.g http://MyFirstAADApp
  • 完成注册后,Azure AD 将为应用程序分配一个唯一的客户端标识符,即应用程序 ID。Once you've completed registration, Azure AD will assign your application a unique client identifier, the Application ID. 在后面的部分中会用到此值,因此,请从应用程序页复制此值。You need this value in the next sections, so copy it from the application page.
  • 若要在 Azure 门户中找到应用程序,请依次单击“应用注册”、“查看所有应用程序”。To find your application in the Azure portal, click App registrations, and then click View all applications.

OAuth 2.0 授权流OAuth 2.0 authorization flow

概括而言,应用程序的整个授权流看起来有点类似于:At a high level, the entire authorization flow for an application looks a bit like this:

OAuth 授权代码流

请求授权代码Request an authorization code

授权代码流始于客户端将用户定向到的 /authorize 终结点。The authorization code flow begins with the client directing the user to the /authorize endpoint. 在此请求中,客户端指示了用户需要提供的权限。In this request, the client indicates the permissions it needs to acquire from the user. 可以通过在 Azure 门户中选择“应用注册”>“终结点”,获取租户的 OAuth 2.0 授权终结点 。You can get the OAuth 2.0 authorization endpoint for your tenant by selecting App registrations > Endpoints in the Azure portal.

// Line breaks for legibility only

https://login.partner.microsoftonline.cn/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A12345
&response_mode=query
&resource=https%3A%2F%2Fservice.contoso.com%2F
&state=12345
参数Parameter 说明Description
tenanttenant 必填required 请求路径中的 {tenant} 值可用于控制哪些用户可以登录应用程序。The {tenant} value in the path of the request can be used to control who can sign into the application. 允许值为租户标识符,例如独立于租户令牌的 8eaef023-2b34-4da1-9baa-8bc8c9d6a490contoso.partner.onmschina.cncommonThe allowed values are tenant identifiers, for example, 8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.partner.onmschina.cn or common for tenant-independent tokens
client_idclient_id 必填required 将应用注册到 Azure AD 时,分配给应用的应用程序 ID。The Application ID assigned to your app when you registered it with Azure AD. 可在 Azure 门户中找到该值。You can find this in the Azure Portal. 单击服务边栏中的“Azure Active Directory” ,单击“应用注册” ,然后选择应用程序。Click Azure Active Directory in the services sidebar, click App registrations, and choose the application.
response_typeresponse_type 必填required 必须包括授权代码流的 codeMust include code for the authorization code flow.
redirect_uriredirect_uri 建议recommended 应用的 redirect_uri,应用可向其发送及从其接收身份验证响应。The redirect_uri of your app, where authentication responses can be sent and received by your app. 其必须完全符合在门户中注册的其中一个 redirect_uris,否则必须是编码的 url。It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. 对于本机和移动应用,应使用默认值 urn:ietf:wg:oauth:2.0:oobFor native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob.
response_moderesponse_mode 可选optional 指定将生成的令牌送回到应用程序时应该使用的方法。Specifies the method that should be used to send the resulting token back to your app. 可以是 queryfragmentform_postCan be query, fragment, or form_post. query 在重定向 URI 上提供代码作为查询字符串参数。query provides the code as a query string parameter on your redirect URI. 如果要使用隐式流请求 ID 令牌,则不能使用 OpenID 规范中指定的 query。如果只是请求代码,则可以使用 queryfragmentform_postIf you're requesting an ID token using the implicit flow, you cannot use query as specified in the OpenID spec. If you're requesting just the code, you can use query, fragment, or form_post. form_post 对重定向 URI 执行包含代码的 POST。form_post executes a POST containing the code to your redirect URI. 代码流的默认值为 queryThe default is query for a code flow.
statestate 建议recommended 同时随令牌响应返回的请求中所包含的值。A value included in the request that is also returned in the token response. 随机生成的唯一值通常用于 防止跨站点请求伪造攻击A randomly generated unique value is typically used for preventing cross-site request forgery attacks. 该状态也用于在身份验证请求出现之前,于应用中编码用户的状态信息,例如之前所在的网页或视图。The state is also used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on.
resourceresource 建议recommended 目标 Web API 的应用 ID URI(受保护的资源)。The App ID URI of the target web API (secured resource). 要查找应用 ID URI,请在 Azure 门户中,依次单击“Azure Active Directory”和“应用程序注册”,打开应用程序的“设置”页面,然后单击“属性” 。To find the App ID URI, in the Azure Portal, click Azure Active Directory, click Application registrations, open the application's Settings page, then click Properties. 也可能是外部资源,如 https://microsoftgraph.chinacloudapi.cnIt may also be an external resource like https://microsoftgraph.chinacloudapi.cn. 这在授权或令牌请求中是必需的。This is required in one of either the authorization or token requests. 要确保减少身份验证提示,请将其置于授权请求中以确保获得用户许可。To ensure fewer authentication prompts place it in the authorization request to ensure consent is received from the user.
scopescope ignoredignored 对于 v1 Azure AD 应用,必须在 Azure 门户中的应用程序“设置” 、“所需权限” 下静态配置作用域。For v1 Azure AD apps, scopes must be statically configured in the Azure Portal under the applications Settings, Required Permissions.
promptprompt 可选optional 表示需要的用户交互类型。Indicate the type of user interaction that is required.

有效值是:Valid values are:

login :应该提示用户重新进行身份验证。login: The user should be prompted to reauthenticate.

select_account :系统会提示用户选择一个帐户,从而中断单一登录。select_account: The user is prompted to select an account, interrupting single sign on. 用户可以选择现有已登录帐户,输入已记忆帐户的凭据,或选择使用其他帐户。The user may select an existing signed-in account, enter their credentials for a remembered account, or choose to use a different account altogether.

consent:用户同意已授予,但需要进行更新。consent: User consent has been granted, but needs to be updated. 应该提示用户授予同意。The user should be prompted to consent.

admin_consent:应该提示管理员代表组织中的所有用户授予同意admin_consent: An administrator should be prompted to consent on behalf of all users in their organization

login_hintlogin_hint 可选optional 如果事先知道用户名,可用于预先填充用户登录页的用户名/电子邮件地址字段。Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know their username ahead of time. 通常,应用在重新身份验证期间使用此参数,并且已经使用 preferred_username 声明从前次登录提取用户名。Often apps use this parameter during reauthentication, having already extracted the username from a previous sign-in using the preferred_username claim.
domain_hintdomain_hint 可选optional 提供有关用户应该用于登录的租户或域的提示。Provides a hint about the tenant or domain that the user should use to sign in. domain_hint 的值是租户的已注册域。The value of the domain_hint is a registered domain for the tenant. 如果该租户与本地目录联合,则 AAD 将重定向到指定的租户联合服务器。If the tenant is federated to an on-premises directory, AAD redirects to the specified tenant federation server.
code_challenge_methodcode_challenge_method 建议recommended 用于为 code_challenge 参数编码 code_verifier 的方法。The method used to encode the code_verifier for the code_challenge parameter. 可以是 plainS256 之一。Can be one of plain or S256. 如果已排除在外,且包含了 code_challenge,则假定 code_challenge 为纯文本。If excluded, code_challenge is assumed to be plaintext if code_challenge is included. Azure AAD v1.0 同时支持 plainS256Azure AAD v1.0 supports both plain and S256. 有关详细信息,请参阅 PKCE RFCFor more information, see the PKCE RFC.
code_challengecode_challenge 建议recommended 用于通过本机客户端或公共客户端的 Proof Key for Code Exchange (PKCE) 保护授权代码授权。Used to secure authorization code grants via Proof Key for Code Exchange (PKCE) from a native or public client. 如果包含 code_challenge_method,则需要。Required if code_challenge_method is included. 有关详细信息,请参阅 PKCE RFCFor more information, see the PKCE RFC.

Note

如果用户属于某个组织,则该组织的管理员可以代表该用户许可或拒绝,也可以允许该用户进行许可。If the user is part of an organization, an administrator of the organization can consent or decline on the user's behalf, or permit the user to consent. 仅当管理员允许时,用户才有权许可。The user is given the option to consent only when the administrator permits it.

此时,会要求用户输入其凭据,并许可 Azure 门户中的应用程序请求的权限。At this point, the user is asked to enter their credentials and consent to the permissions requested by the app in the Azure Portal. 用户经过身份验证并同意后,Azure AD 会在包含代码的请求的 redirect_uri 地址中向应用发送响应。Once the user authenticates and grants consent, Azure AD sends a response to your app at the redirect_uri address in your request with the code.

成功的响应Successful response

成功的响应如下所示:A successful response could look like this:

GET  HTTP/1.1 302 Found
Location: http://localhost:12345/?code= AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA&session_state=7B29111D-C220-4263-99AB-6F6E135D75EF&state=D79E5777-702E-4260-9A62-37F75FF22CCE
参数Parameter 说明Description
admin_consentadmin_consent 如果管理员同意许可请求提示的内容,则该值为 True。The value is True if an administrator consented to a consent request prompt.
codecode 应用程序请求的授权代码。The authorization code that the application requested. 应用程序可以使用该授权代码请求目标资源的访问令牌。The application can use the authorization code to request an access token for the target resource.
session_statesession_state 一个标识当前用户会话的唯一值。A unique value that identifies the current user session. 此值为 GUID,但应将其视为无需检查即可传递的不透明值。This value is a GUID, but should be treated as an opaque value that is passed without examination.
statestate 如果请求中包含 state 参数,响应中就应该出现相同的值。If a state parameter is included in the request, the same value should appear in the response. 应用程序在使用响应之前最好验证请求和响应中的状态值是否完全相同。It's a good practice for the application to verify that the state values in the request and response are identical before using the response. 这可以帮助检测客户端的跨网站请求伪造 (CSRF) 攻击This helps to detect Cross-Site Request Forgery (CSRF) attacks against the client.

错误响应Error response

错误响应也可能发送到 redirect_uri ,以便应用程序可以适当地处理。Error responses may also be sent to the redirect_uri so that the application can handle them appropriately.

GET http://localhost:12345/?
error=access_denied
&error_description=the+user+canceled+the+authentication
参数Parameter 说明Description
errorerror OAuth 2.0 授权框架第 5.2 部分中定义的错误代码值。An error code value defined in Section 5.2 of the OAuth 2.0 Authorization Framework. 下表描述了 Azure AD 返回的错误代码。The next table describes the error codes that Azure AD returns.
error_descriptionerror_description 错误的更详细说明。A more detailed description of the error. 此消息不是最终用户友好的。This message is not intended to be end-user friendly.
statestate 状态值是一个随机生成的不可重用值,它在请求中发送,并在响应中返回,以防止跨网站请求伪造 (CSRF) 攻击。The state value is a randomly generated non-reused value that is sent in the request and returned in the response to prevent cross-site request forgery (CSRF) attacks.

授权终结点错误的错误代码Error codes for authorization endpoint errors

下表描述了可在错误响应的 error 参数中返回的各个错误代码。The following table describes the various error codes that can be returned in the error parameter of the error response.

错误代码Error Code 说明Description 客户端操作Client Action
invalid_requestinvalid_request 协议错误,例如,缺少必需的参数。Protocol error, such as a missing required parameter. 修复并重新提交请求。Fix and resubmit the request. 这通常是在初始测试期间捕获的开发错误。This is a development error, and is typically caught during initial testing.
unauthorized_clientunauthorized_client 不允许客户端应用程序请求授权代码。The client application is not permitted to request an authorization code. 客户端应用程序未注册到 Azure AD 中或者未添加到用户的 Azure AD 租户时,通常会出现这种情况。This usually occurs when the client application is not registered in Azure AD or is not added to the user's Azure AD tenant. 应用程序可以提示用户,并说明如何安装应用程序并将其添加到 Azure AD。The application can prompt the user with instruction for installing the application and adding it to Azure AD.
access_deniedaccess_denied 资源所有者拒绝了许可Resource owner denied consent 客户端应用程序可以通知用户除非用户许可,否则无法继续。The client application can notify the user that it cannot proceed unless the user consents.
unsupported_response_typeunsupported_response_type 授权服务器不支持请求中的响应类型。The authorization server does not support the response type in the request. 修复并重新提交请求。Fix and resubmit the request. 这通常是在初始测试期间捕获的开发错误。This is a development error, and is typically caught during initial testing.
server_errorserver_error 服务器遇到意外的错误。The server encountered an unexpected error. 重试请求。Retry the request. 这些错误可能是临时状况导致的。These errors can result from temporary conditions. 客户端应用程序可向用户说明,其响应由于临时错误而延迟。The client application might explain to the user that its response is delayed due to a temporary error.
temporarily_unavailabletemporarily_unavailable 服务器暂时繁忙,无法处理请求。The server is temporarily too busy to handle the request. 重试请求。Retry the request. 客户端应用程序可向用户说明,其响应由于临时状况而延迟。The client application might explain to the user that its response is delayed due to a temporary condition.
invalid_resourceinvalid_resource 目标资源无效,原因是它不存在,Azure AD 找不到它,或者未正确配置。The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured. 这表示未在租户中配置该资源(如果存在)。This indicates the resource, if it exists, has not been configured in the tenant. 应用程序可以提示用户,并说明如何安装应用程序并将其添加到 Azure AD。The application can prompt the user with instruction for installing the application and adding it to Azure AD.

使用授权代码请求访问令牌Use the authorization code to request an access token

已获取授权代码并获得用户授权,现在可以通过将 POST 请求发送到 /token 终结点,使用该代码兑换所需资源的访问令牌:Now that you've acquired an authorization code and have been granted permission by the user, you can redeem the code for an access token to the desired resource, by sending a POST request to the /token endpoint:

// Line breaks for legibility only

POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.partner.microsoftonline.cn
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%3A12345
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd

//NOTE: client_secret only required for web apps
参数Parameter 说明Description
tenanttenant 必填required 请求路径中的 {tenant} 值可用于控制哪些用户可以登录应用程序。The {tenant} value in the path of the request can be used to control who can sign into the application. 允许值为租户标识符,例如独立于租户令牌的 8eaef023-2b34-4da1-9baa-8bc8c9d6a490contoso.partner.onmschina.cncommonThe allowed values are tenant identifiers, for example, 8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.partner.onmschina.cn or common for tenant-independent tokens
client_idclient_id 必填required 将应用注册到 Azure AD 时,分配给应用的应用程序 ID。The Application Id assigned to your app when you registered it with Azure AD. 可以在 Azure 门户中找到该值。You can find this in the Azure portal. 应用程序 ID 显示在应用注册的设置中。The Application Id is displayed in the settings of the app registration.
grant_typegrant_type 必填required 必须是授权代码流的 authorization_codeMust be authorization_code for the authorization code flow.
codecode 必填required 在上一部分中获取的 authorization_codeThe authorization_code that you acquired in the previous section
redirect_uriredirect_uri 必填required 一个在客户端应用程序上注册的 redirect_uriA redirect_uriregistered on the client application.
client_secretclient_secret 对于 Web 应用是必需的,不允许用于公共客户端required for web apps, not allowed for public clients 在 Azure 门户的“密钥” 下为应用程序创建的应用程序密码。The application secret that you created in the Azure Portal for your app under Keys. 它不能在本机应用(公共客户端)中使用,因为设备无法可靠地存储 client_secrets。It cannot be used in a native app (public client), because client_secrets cannot be reliably stored on devices. Web 应用和 Web API(所有机密客户端)都需要它,能够将 client_secret 安全地存储在服务器端。It is required for web apps and web APIs (all confidential clients), which have the ability to store the client_secret securely on the server side. 在发送 client_secret 之前必须先对其进行 URL 编码。The client_secret should be URL-encoded before being sent.
resourceresource 建议recommended 目标 Web API 的应用 ID URI(受保护的资源)。The App ID URI of the target web API (secured resource). 要查找应用 ID URI,请在 Azure 门户中,依次单击“Azure Active Directory”和“应用程序注册”,打开应用程序的“设置”页面,然后单击“属性” 。To find the App ID URI, in the Azure Portal, click Azure Active Directory, click Application registrations, open the application's Settings page, then click Properties. 也可能是外部资源,如 https://microsoftgraph.chinacloudapi.cnIt may also be an external resource like https://microsoftgraph.chinacloudapi.cn. 这在授权或令牌请求中是必需的。This is required in one of either the authorization or token requests. 要确保减少身份验证提示,请将其置于授权请求中以确保获得用户许可。To ensure fewer authentication prompts place it in the authorization request to ensure consent is received from the user. 如果同时在授权请求和令牌请求中,资源参数必须匹配。If in both the authorization request and the token request, the resource` parameters must match.
code_verifiercode_verifier 可选optional 即用于获取 authorization_code 的 code_verifier。The same code_verifier that was used to obtain the authorization_code. 如果在授权码授权请求中使用 PKCE,则需要。Required if PKCE was used in the authorization code grant request. 有关详细信息,请参阅 PKCE RFCFor more information, see the PKCE RFC

要查找应用 ID URI,请在 Azure 门户中,依次单击“Azure Active Directory”和“应用程序注册”,打开应用程序的“设置”页面,然后单击“属性” 。To find the App ID URI, in the Azure Portal, click Azure Active Directory, click Application registrations, open the application's Settings page, then click Properties.

成功的响应Successful response

成功响应后,Azure AD 将返回访问令牌Azure AD returns an access token upon a successful response. 为了尽量减少来自客户端应用程序的网络调用及其相关延迟,客户端应用程序应该根据 OAuth 2.0 响应中指定的令牌生存期缓存访问令牌。To minimize network calls from the client application and their associated latency, the client application should cache access tokens for the token lifetime that is specified in the OAuth 2.0 response. 若要确定令牌生存期,请使用 expires_inexpires_on 参数值。To determine the token lifetime, use either the expires_in or expires_on parameter values.

如果 Web API 资源返回 invalid_token 错误代码,则可能表示该资源确定令牌已过期。If a web API resource returns an invalid_token error code, this might indicate that the resource has determined that the token is expired. 如果客户端和资源时钟时间不同(称为“时间偏差”),该资源可能会将令牌视为已过期,随后从客户端缓存中清除。If the client and resource clock times are different (known as a "time skew"), the resource might consider the token to be expired before the token is cleared from the client cache. 如果发生这种情况,请从缓存中清除令牌,即使它仍处于其计算生存期内。If this occurs, clear the token from the cache, even if it is still within its calculated lifetime.

成功的响应如下所示:A successful response could look like this:

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiJodHRwczovL3NlcnZpY2UuY29udG9zby5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlLyIsImlhdCI6MTM4ODQ0MDg2MywibmJmIjoxMzg4NDQwODYzLCJleHAiOjEzODg0NDQ3NjMsInZlciI6IjEuMCIsInRpZCI6IjdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZSIsIm9pZCI6IjY4Mzg5YWUyLTYyZmEtNGIxOC05MWZlLTUzZGQxMDlkNzRmNSIsInVwbiI6ImZyYW5rbUBjb250b3NvLmNvbSIsInVuaXF1ZV9uYW1lIjoiZnJhbmttQGNvbnRvc28uY29tIiwic3ViIjoiZGVOcUlqOUlPRTlQV0pXYkhzZnRYdDJFYWJQVmwwQ2o4UUFtZWZSTFY5OCIsImZhbWlseV9uYW1lIjoiTWlsbGVyIiwiZ2l2ZW5fbmFtZSI6IkZyYW5rIiwiYXBwaWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctODkwYS0yNzRhNzJhNzMwOWUiLCJhcHBpZGFjciI6IjAiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJhY3IiOiIxIn0.JZw8jC0gptZxVC-7l5sFkdnJgP3_tRjeQEPgUn28XctVe3QqmheLZw7QVZDPCyGycDWBaqy7FLpSekET_BftDkewRhyHk9FW_KeEz0ch2c3i08NGNDbr6XYGVayNuSesYk5Aw_p3ICRlUV1bqEwk-Jkzs9EEkQg4hbefqJS6yS1HoV_2EsEhpd_wCQpxK89WPs3hLYZETRJtG5kvCCEOvSHXmDE6eTHGTnEgsIk--UlPe275Dvou4gEAwLofhLDQbMSjnlV5VLsjimNBVcSRFShoxmQwBJR_b2011Y5IuD6St5zPnzruBbZYkGNurQK63TJPWmRd3mbJsGM0mf3CUQ",
  "token_type": "Bearer",
  "expires_in": "3600",
  "expires_on": "1388444763",
  "resource": "https://service.contoso.com/",
  "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4rTfgV29ghDOHRc2B-C_hHeJaJICqjZ3mY2b_YNqmf9SoAylD1PycGCB90xzZeEDg6oBzOIPfYsbDWNf621pKo2Q3GGTHYlmNfwoc-OlrxK69hkha2CF12azM_NYhgO668yfcUl4VBbiSHZyd1NVZG5QTIOcbObu3qnLutbpadZGAxqjIbMkQ2bQS09fTrjMBtDE3D6kSMIodpCecoANon9b0LATkpitimVCrl-NyfN3oyG4ZCWu18M9-vEou4Sq-1oMDzExgAf61noxzkNiaTecM-Ve5cq6wHqYQjfV9DOz4lbceuYCAA",
  "scope": "https%3A%2F%2Fmicrosoftgraph.chinacloudapi.cn%2Fmail.read",
  "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctODkwYS0yNzRhNzJhNzMwOWUiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83ZmU4MTQ0Ny1kYTU3LTQzODUtYmVjYi02ZGU1N2YyMTQ3N2UvIiwiaWF0IjoxMzg4NDQwODYzLCJuYmYiOjEzODg0NDA4NjMsImV4cCI6MTM4ODQ0NDc2MywidmVyIjoiMS4wIiwidGlkIjoiN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlIiwib2lkIjoiNjgzODlhZTItNjJmYS00YjE4LTkxZmUtNTNkZDEwOWQ3NGY1IiwidXBuIjoiZnJhbmttQGNvbnRvc28uY29tIiwidW5pcXVlX25hbWUiOiJmcmFua21AY29udG9zby5jb20iLCJzdWIiOiJKV3ZZZENXUGhobHBTMVpzZjd5WVV4U2hVd3RVbTV5elBtd18talgzZkhZIiwiZmFtaWx5X25hbWUiOiJNaWxsZXIiLCJnaXZlbl9uYW1lIjoiRnJhbmsifQ."
}

参数Parameter 说明Description
access_tokenaccess_token 作为签名 JSON Web 令牌 (JWT) 的请求访问令牌The requested access token as a signed JSON Web Token (JWT). 应用可以使用此令牌来验证受保护的资源,例如 Web API。The app can use this token to authenticate to the secured resource, such as a web API.
token_typetoken_type 指示令牌类型值。Indicates the token type value. Azure AD 唯一支持的类型是 Bearer。The only type that Azure AD supports is Bearer. 有关持有者令牌的详细信息,请参阅 OAuth2.0 授权框架:持有者令牌用法 (RFC 6750)For more information about Bearer tokens, see OAuth2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
expires_inexpires_in 访问令牌的有效期(以秒为单位)。How long the access token is valid (in seconds).
expires_onexpires_on 访问令牌的过期时间。The time when the access token expires. 该日期表示为自 1970-01-01T0:0:0Z UTC 至过期时间的秒数。The date is represented as the number of seconds from 1970-01-01T0:0:0Z UTC until the expiration time. 此值用于确定缓存令牌的生存期。This value is used to determine the lifetime of cached tokens.
resourceresource Web API 的应用 ID URI(受保护的资源)。The App ID URI of the web API (secured resource).
scopescope 向客户端应用程序授予的模拟权限。Impersonation permissions granted to the client application. 默认权限为 user_impersonationThe default permission is user_impersonation. 受保护资源的所有者可在 Azure AD 中注册其他值。The owner of the secured resource can register additional values in Azure AD.
refresh_tokenrefresh_token OAuth 2.0 刷新令牌。An OAuth 2.0 refresh token. 应用可以使用此令牌,在当前访问令牌过期之后获取其他访问令牌。The app can use this token to acquire additional access tokens after the current access token expires. 刷新令牌的生存期很长,而且可以用于延长保留资源访问权限的时间。Refresh tokens are long-lived, and can be used to retain access to resources for extended periods of time.
id_tokenid_token 表示 ID 令牌的未签名 JSON Web令牌 (JWT)。An unsigned JSON Web Token (JWT) representing an ID token. 应用可以 base64Url 解码此令牌的段,以请求已登录用户的相关信息。The app can base64Url decode the segments of this token to request information about the user who signed in. 应用可以缓存并显示值,但不应依赖于这些值来获取任何授权或安全边界。The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries.

有关 JSON Web 令牌的详细信息,请参阅 JWT IETF 草案规范For more information about JSON web tokens, see the JWT IETF draft specification. 若要详细了解 id_tokens,请参阅 v1.0 OpenID Connect 流To learn more about id_tokens, see the v1.0 OpenID Connect flow.

错误响应Error response

令牌颁发终结点错误是一些 HTTP 错误代码,因为客户端直接调用令牌颁发终结点。The token issuance endpoint errors are HTTP error codes, because the client calls the token issuance endpoint directly. 除了 HTTP 状态代码,Azure AD 令牌颁发终结点还会返回 JSON 文档,其中的对象会对错误进行描述。In addition to the HTTP status code, the Azure AD token issuance endpoint also returns a JSON document with objects that describe the error.

下面是一个示例错误响应:A sample error response could look like this:

{
  "error": "invalid_grant",
  "error_description": "AADSTS70002: Error validating credentials. AADSTS70008: The provided authorization code or refresh token is expired. Send a new interactive authorization request for this user and resource.\r\nTrace ID: 3939d04c-d7ba-42bf-9cb7-1e5854cdce9e\r\nCorrelation ID: a8125194-2dc8-4078-90ba-7b6592a7f231\r\nTimestamp: 2016-04-11 18:00:12Z",
  "error_codes": [
    70002,
    70008
  ],
  "timestamp": "2016-04-11 18:00:12Z",
  "trace_id": "3939d04c-d7ba-42bf-9cb7-1e5854cdce9e",
  "correlation_id": "a8125194-2dc8-4078-90ba-7b6592a7f231"
}
参数Parameter 说明Description
errorerror 用于分类发生的错误类型与响应错误的错误码字符串。An error code string that can be used to classify types of errors that occur, and can be used to react to errors.
error_descriptionerror_description 帮助开发人员识别身份验证错误根本原因的特定错误消息。A specific error message that can help a developer identify the root cause of an authentication error.
error_codeserror_codes 可帮助诊断的 STS 特定错误代码列表。A list of STS-specific error codes that can help in diagnostics.
timestamptimestamp 发生错误的时间。The time at which the error occurred.
trace_idtrace_id 可帮助诊断的请求唯一标识符。A unique identifier for the request that can help in diagnostics.
correlation_idcorrelation_id 可帮助跨组件诊断的请求唯一标识符。A unique identifier for the request that can help in diagnostics across components.

HTTP 状态代码HTTP status codes

下表列出了令牌颁发终结点返回的 HTTP 状态代码。The following table lists the HTTP status codes that the token issuance endpoint returns. 在某些情况下,错误代码足以描述响应,但在发生错误的情况下,则需要分析随附的 JSON 文档并检查其错误代码。In some cases, the error code is sufficient to describe the response, but if there are errors, you need to parse the accompanying JSON document and examine its error code.

HTTP 代码HTTP Code 说明Description
400400 默认的 HTTP 代码。Default HTTP code. 用于大多数情况,原因通常是请求格式不当。Used in most cases and is typically due to a malformed request. 修复并重新提交请求。Fix and resubmit the request.
401401 身份验证失败。Authentication failed. 例如,请求缺少 client_secret 参数。For example, the request is missing the client_secret parameter.
403403 授权失败。Authorization failed. 例如,用户没有权限访问该资源。For example, the user does not have permission to access the resource.
500500 服务出现内部错误。An internal error has occurred at the service. 重试请求。Retry the request.

令牌终结点错误的错误代码Error codes for token endpoint errors

错误代码Error Code 说明Description 客户端操作Client Action
invalid_requestinvalid_request 协议错误,例如,缺少必需的参数。Protocol error, such as a missing required parameter. 修复并重新提交请求。Fix and resubmit the request
invalid_grantinvalid_grant 授权代码无效或已过期。The authorization code is invalid or has expired. 请尝试对 /authorize 终结点发出新请求Try a new request to the /authorize endpoint
unauthorized_clientunauthorized_client 经过身份验证的客户端无权使用此权限授予类型。The authenticated client is not authorized to use this authorization grant type. 客户端应用程序未注册到 Azure AD 中或者未添加到用户的 Azure AD 租户时,通常会出现这种情况。This usually occurs when the client application is not registered in Azure AD or is not added to the user's Azure AD tenant. 应用程序可以提示用户,并说明如何安装应用程序并将其添加到 Azure AD。The application can prompt the user with instruction for installing the application and adding it to Azure AD.
invalid_clientinvalid_client 客户端身份验证失败。Client authentication failed. 客户端凭据无效。The client credentials are not valid. 若要修复,应用程序管理员应更新凭据。To fix, the application administrator updates the credentials.
unsupported_grant_typeunsupported_grant_type 授权服务器不支持权限授予类型。The authorization server does not support the authorization grant type. 更改请求中的授权类型。Change the grant type in the request. 这种类型的错误应该只在开发过程中发生,并且应该在初始测试过程中检测到。This type of error should occur only during development and be detected during initial testing.
invalid_resourceinvalid_resource 目标资源无效,原因是它不存在,Azure AD 找不到它,或者未正确配置。The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured. 这表示未在租户中配置该资源(如果存在)。This indicates the resource, if it exists, has not been configured in the tenant. 应用程序可以提示用户,并说明如何安装应用程序并将其添加到 Azure AD。The application can prompt the user with instruction for installing the application and adding it to Azure AD.
interaction_requiredinteraction_required 请求需要用户交互。The request requires user interaction. 例如,需要额外的身份验证步骤。For example, an additional authentication step is required. 请对同一资源使用交互式授权请求进行重试,而不是非交互式请求。Instead of a non-interactive request, retry with an interactive authorization request for the same resource.
temporarily_unavailabletemporarily_unavailable 服务器暂时繁忙,无法处理请求。The server is temporarily too busy to handle the request. 重试请求。Retry the request. 客户端应用程序可能向用户说明,其响应由于临时状况而延迟。The client application might explain to the user that its response is delayed due to a temporary condition.

使用访问令牌访问资源Use the access token to access the resource

已经成功获取 access_token,现在可以通过在 Authorization 标头中包含令牌,在 Web API 的请求中使用令牌。Now that you've successfully acquired an access_token, you can use the token in requests to Web APIs, by including it in the Authorization header. RFC 6750 规范说明了如何使用 HTTP 请求中的持有者令牌访问受保护的资源。The RFC 6750 specification explains how to use bearer tokens in HTTP requests to access protected resources.

示例请求Sample request

GET /data HTTP/1.1
Host: service.contoso.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiJodHRwczovL3NlcnZpY2UuY29udG9zby5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlLyIsImlhdCI6MTM4ODQ0MDg2MywibmJmIjoxMzg4NDQwODYzLCJleHAiOjEzODg0NDQ3NjMsInZlciI6IjEuMCIsInRpZCI6IjdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZSIsIm9pZCI6IjY4Mzg5YWUyLTYyZmEtNGIxOC05MWZlLTUzZGQxMDlkNzRmNSIsInVwbiI6ImZyYW5rbUBjb250b3NvLmNvbSIsInVuaXF1ZV9uYW1lIjoiZnJhbmttQGNvbnRvc28uY29tIiwic3ViIjoiZGVOcUlqOUlPRTlQV0pXYkhzZnRYdDJFYWJQVmwwQ2o4UUFtZWZSTFY5OCIsImZhbWlseV9uYW1lIjoiTWlsbGVyIiwiZ2l2ZW5fbmFtZSI6IkZyYW5rIiwiYXBwaWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctODkwYS0yNzRhNzJhNzMwOWUiLCJhcHBpZGFjciI6IjAiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJhY3IiOiIxIn0.JZw8jC0gptZxVC-7l5sFkdnJgP3_tRjeQEPgUn28XctVe3QqmheLZw7QVZDPCyGycDWBaqy7FLpSekET_BftDkewRhyHk9FW_KeEz0ch2c3i08NGNDbr6XYGVayNuSesYk5Aw_p3ICRlUV1bqEwk-Jkzs9EEkQg4hbefqJS6yS1HoV_2EsEhpd_wCQpxK89WPs3hLYZETRJtG5kvCCEOvSHXmDE6eTHGTnEgsIk--UlPe275Dvou4gEAwLofhLDQbMSjnlV5VLsjimNBVcSRFShoxmQwBJR_b2011Y5IuD6St5zPnzruBbZYkGNurQK63TJPWmRd3mbJsGM0mf3CUQ

错误响应Error Response

实现 RFC 6750 的受保护资源会发出 HTTP 状态代码。Secured resources that implement RFC 6750 issue HTTP status codes. 如果请求不包含身份验证凭据或缺少令牌,则响应将包含 WWW-Authenticate 标头。If the request does not include authentication credentials or is missing the token, the response includes an WWW-Authenticate header. 当某个请求失败时,资源服务器使用 HTTP 状态代码和错误代码做出响应。When a request fails, the resource server responds with the HTTP status code and an error code.

以下是当客户端请求不包含持有者令牌时的不成功响应示例:The following is an example of an unsuccessful response when the client request does not include the bearer token:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer authorization_uri="https://login.partner.microsoftonline.cn/contoso.com/oauth2/authorize",  error="invalid_token",  error_description="The access token is missing.",

错误参数Error parameters

参数Parameter 说明Description
authorization_uriauthorization_uri 授权服务器的 URI(物理终结点)。The URI (physical endpoint) of the authorization server. 此值还用作查找键,可从发现终结点获取有关服务器的详细信息。This value is also used as a lookup key to get more information about the server from a discovery endpoint.

客户端必须验证授权服务器是否受信任。The client must validate that the authorization server is trusted. Azure AD 对资源进行保护时,只需验证 URL 是否以 Azure AD 支持的 https://login.partner.microsoftonline.cn 或其他主机名开头即可。When the resource is protected by Azure AD, it is sufficient to verify that the URL begins with https://login.partner.microsoftonline.cn or another hostname that Azure AD supports. 特定于租户的资源应始终返回特定于租户的授权 URI。A tenant-specific resource should always return a tenant-specific authorization URI.

errorerror OAuth 2.0 授权框架第 5.2 部分中定义的错误代码值。An error code value defined in Section 5.2 of the OAuth 2.0 Authorization Framework.
error_descriptionerror_description 错误的更详细说明。A more detailed description of the error. 此消息不是最终用户友好的。This message is not intended to be end-user friendly.
resource_idresource_id 返回资源的唯一标识符。Returns the unique identifier of the resource. 客户端应用程序在请求资源的令牌时,可以使用此标识符作为 resource 参数的值。The client application can use this identifier as the value of the resource parameter when it requests a token for the resource.

对于客户端应用程序,验证此值非常重要,否则恶意服务可能会引发 elevation-of-privileges 攻击 It is important for the client application to verify this value, otherwise a malicious service might be able to induce an elevation-of-privileges attack

防止攻击的建议策略是验证 resource_id 是否与正在访问的 Web API URL 基部分相匹配。The recommended strategy for preventing an attack is to verify that the resource_id matches the base of the web API URL that being accessed. 例如,如果正在访问 https://service.contoso.com/dataresource_id 可以是 htttps://service.contoso.com/。For example, if https://service.contoso.com/data is being accessed, the resource_id can be htttps://service.contoso.com/. 客户端应用程序必须拒绝不以基 URL 开头的 resource_id ,除非存在可靠的替代方法来验证该 ID。The client application must reject a resource_id that does not begin with the base URL unless there is a reliable alternate way to verify the id.

持有者方案错误代码Bearer scheme error codes

RFC 6750 规范为在响应中使用 WWW-Authenticate 标头和持有者方案的资源定义了以下错误。The RFC 6750 specification defines the following errors for resources that use the WWW-Authenticate header and Bearer scheme in the response.

HTTP 状态代码HTTP Status Code 错误代码Error Code 说明Description 客户端操作Client Action
400400 invalid_requestinvalid_request 请求格式不正确。The request is not well-formed. 例如,请求可能缺少某个参数或者使用了同一参数两次。For example, it might be missing a parameter or using the same parameter twice. 修复错误并重试请求。Fix the error and retry the request. 这种类型的错误应该只在开发过程中发生,并且应该在初始测试中检测到。This type of error should occur only during development and be detected in initial testing.
401401 invalid_tokeninvalid_token 访问令牌缺失、无效或被吊销。The access token is missing, invalid, or is revoked. error_description 参数的值提供了更多详细信息。The value of the error_description parameter provides additional detail. 从授权服务器请求新令牌。Request a new token from the authorization server. 如果新令牌失败,则表示发生了意外的错误。If the new token fails, an unexpected error has occurred. 向用户发送一条错误消息,并在随机延迟后重试。Send an error message to the user and retry after random delays.
403403 insufficient_scopeinsufficient_scope 访问令牌不包含访问资源所需的模拟权限。The access token does not contain the impersonation permissions required to access the resource. 将新的授权请求发送到授权终结点。Send a new authorization request to the authorization endpoint. 如果响应包含 scope 参数,则在对资源的请求中使用 scope 值。If the response contains the scope parameter, use the scope value in the request to the resource.
403403 insufficient_accessinsufficient_access 令牌的使用者没有访问该资源所需的权限。The subject of the token does not have the permissions that are required to access the resource. 提示用户使用其他帐户或请求对指定资源的权限。Prompt the user to use a different account or to request permissions to the specified resource.

刷新访问令牌Refreshing the access tokens

访问令牌的生存期很短,必须在其过期后刷新才能继续访问资源。Access Tokens are short-lived and must be refreshed after they expire to continue accessing resources. 若要刷新 access_token,可以向 /token 终结点提交另一个 POST 请求,但这次要提供 refresh_token 而不是 codeYou can refresh the access_token by submitting another POST request to the /token endpoint, but this time providing the refresh_token instead of the code. 刷新令牌对客户端已被同意访问的所有资源有效 - 因此,对 resource=https://microsoftgraph.chinacloudapi.cn 请求发出的刷新令牌可用于请求 resource=https://contoso.com/api 的新访问令牌。Refresh tokens are valid for all resources that your client has already been given consent to access - thus, a refresh token issued on a request for resource=https://microsoftgraph.chinacloudapi.cn can be used to request a new access token for resource=https://contoso.com/api.

刷新令牌没有指定的生存期。Refresh tokens do not have specified lifetimes. 通常,刷新令牌的生存期相对较长。Typically, the lifetimes of refresh tokens are relatively long. 但是,在某些情况下,刷新令牌会过期、被吊销,或缺少执行所需操作的足够权限。However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. 应用程序需要正确预期和处理令牌颁发终结点返回的错误。Your application needs to expect and handle errors returned by the token issuance endpoint correctly.

收到具有刷新令牌错误的响应时,请丢弃当前刷新令牌,并请求新的授权代码或访问令牌。When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. 具体而言,在授权代码授予流中使用刷新令牌时,如果收到具有 interaction_requiredinvalid_grant 错误代码的响应,请丢弃刷新令牌,并请求新的授权代码。In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.

以下示例使用刷新令牌请求特定于租户的终结点(也可以使用公用终结点)获取新的访问令牌: A sample request to the tenant-specific endpoint (you can also use the common endpoint) to get a new access token using a refresh token looks like this:

// Line breaks for legibility only

POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.partner.microsoftonline.cn
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps

成功的响应Successful response

成功的令牌响应如下:A successful token response will look like:

{
  "token_type": "Bearer",
  "expires_in": "3600",
  "expires_on": "1460404526",
  "resource": "https://service.contoso.com/",
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiJodHRwczovL3NlcnZpY2UuY29udG9zby5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlLyIsImlhdCI6MTM4ODQ0MDg2MywibmJmIjoxMzg4NDQwODYzLCJleHAiOjEzODg0NDQ3NjMsInZlciI6IjEuMCIsInRpZCI6IjdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZSIsIm9pZCI6IjY4Mzg5YWUyLTYyZmEtNGIxOC05MWZlLTUzZGQxMDlkNzRmNSIsInVwbiI6ImZyYW5rbUBjb250b3NvLmNvbSIsInVuaXF1ZV9uYW1lIjoiZnJhbmttQGNvbnRvc28uY29tIiwic3ViIjoiZGVOcUlqOUlPRTlQV0pXYkhzZnRYdDJFYWJQVmwwQ2o4UUFtZWZSTFY5OCIsImZhbWlseV9uYW1lIjoiTWlsbGVyIiwiZ2l2ZW5fbmFtZSI6IkZyYW5rIiwiYXBwaWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctODkwYS0yNzRhNzJhNzMwOWUiLCJhcHBpZGFjciI6IjAiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJhY3IiOiIxIn0.JZw8jC0gptZxVC-7l5sFkdnJgP3_tRjeQEPgUn28XctVe3QqmheLZw7QVZDPCyGycDWBaqy7FLpSekET_BftDkewRhyHk9FW_KeEz0ch2c3i08NGNDbr6XYGVayNuSesYk5Aw_p3ICRlUV1bqEwk-Jkzs9EEkQg4hbefqJS6yS1HoV_2EsEhpd_wCQpxK89WPs3hLYZETRJtG5kvCCEOvSHXmDE6eTHGTnEgsIk--UlPe275Dvou4gEAwLofhLDQbMSjnlV5VLsjimNBVcSRFShoxmQwBJR_b2011Y5IuD6St5zPnzruBbZYkGNurQK63TJPWmRd3mbJsGM0mf3CUQ",
  "refresh_token": "AwABAAAAv YNqmf9SoAylD1PycGCB90xzZeEDg6oBzOIPfYsbDWNf621pKo2Q3GGTHYlmNfwoc-OlrxK69hkha2CF12azM_NYhgO668yfcUl4VBbiSHZyd1NVZG5QTIOcbObu3qnLutbpadZGAxqjIbMkQ2bQS09fTrjMBtDE3D6kSMIodpCecoANon9b0LATkpitimVCrl PM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4rTfgV29ghDOHRc2B-C_hHeJaJICqjZ3mY2b_YNqmf9SoAylD1PycGCB90xzZeEDg6oBzOIPfYsbDWNf621pKo2Q3GGTHYlmNfwoc-OlrxK69hkha2CF12azM_NYhgO668yfmVCrl-NyfN3oyG4ZCWu18M9-vEou4Sq-1oMDzExgAf61noxzkNiaTecM-Ve5cq6wHqYQjfV9DOz4lbceuYCAA"
}
参数Parameter 说明Description
token_typetoken_type 令牌类型。The token type. 唯一支持的值为 bearerThe only supported value is bearer.
expires_inexpires_in 令牌的剩余生存期,以秒为单位。The remaining lifetime of the token in seconds. 典型值为 3600(1 小时)。A typical value is 3600 (one hour).
expires_onexpires_on 令牌过期的日期和时间。The date and time on which the token expires. 该日期表示为自 1970-01-01T0:0:0Z UTC 至过期时间的秒数。The date is represented as the number of seconds from 1970-01-01T0:0:0Z UTC until the expiration time.
resourceresource 标识可使用访问令牌访问的受保护资源。Identifies the secured resource that the access token can be used to access.
scopescope 向本机客户端应用程序授予的模拟权限。Impersonation permissions granted to the native client application. 默认权限是 user_impersonation。 The default permission is user_impersonation. 目标资源的所有者可在 Azure AD 中注册备用值。The owner of the target resource can register alternate values in Azure AD.
access_tokenaccess_token 所请求的新访问令牌。The new access token that was requested.
refresh_tokenrefresh_token 一个新的 OAuth 2.0 refresh_token,可用于在此响应中的令牌过期时请求新的访问令牌。A new OAuth 2.0 refresh_token that can be used to request new access tokens when the one in this response expires.

错误响应Error response

下面是一个示例错误响应:A sample error response could look like this:

{
  "error": "invalid_resource",
  "error_description": "AADSTS50001: The application named https://foo.microsoft.com/mail.read was not found in the tenant named 295e01fc-0c56-4ac3-ac57-5d0ed568f872. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: ef1f89f6-a14f-49de-9868-61bd4072f0a9\r\nCorrelation ID: b6908274-2c58-4e91-aea9-1f6b9c99347c\r\nTimestamp: 2016-04-11 18:59:01Z",
  "error_codes": [
    50001
  ],
  "timestamp": "2016-04-11 18:59:01Z",
  "trace_id": "ef1f89f6-a14f-49de-9868-61bd4072f0a9",
  "correlation_id": "b6908274-2c58-4e91-aea9-1f6b9c99347c"
}
参数Parameter 说明Description
errorerror 用于分类发生的错误类型与响应错误的错误码字符串。An error code string that can be used to classify types of errors that occur, and can be used to react to errors.
error_descriptionerror_description 帮助开发人员识别身份验证错误根本原因的特定错误消息。A specific error message that can help a developer identify the root cause of an authentication error.
error_codeserror_codes 可帮助诊断的 STS 特定错误代码列表。A list of STS-specific error codes that can help in diagnostics.
timestamptimestamp 发生错误的时间。The time at which the error occurred.
trace_idtrace_id 可帮助诊断的请求唯一标识符。A unique identifier for the request that can help in diagnostics.
correlation_idcorrelation_id 可帮助跨组件诊断的请求唯一标识符。A unique identifier for the request that can help in diagnostics across components.

有关错误代码的描述和建议的客户端操作,请参阅 令牌终结点错误的错误代码For a description of the error codes and the recommended client action, see Error codes for token endpoint errors.