Microsoft-Graph刷新令牌請求失敗... AADSTS70000

Question

我在使用Microsoft Graph的Slim3 WebApp中使用聯盟/ oauth客戶端，並且我無法通過給定刷新令牌成功請求新令牌...

這是聯盟/ OAuth的客戶我二容器：

$container['oauthprovider'] = function() 
{ 
    $provider = new \League\OAuth2\Client\Provider\GenericProvider(
    [ 
     'clientId' => getenv('ENV_CLIENT_ID'), 
     'clientSecret' => getenv('ENV_CLIENT_SECRET'), 
     'redirectUri' => getenv('ENV_REDIRECT_URL'), 
     'urlAuthorize' => getenv('ENV_AUTHORIZE_URL'), 
     'urlAccessToken' => getenv('ENV_URL_ACCESS_TOKEN'), 
     'urlResourceOwnerDetails' => '', 
     'scopes' => 'offline_access user.read people.read user.read.all openid mail.send' 
    ] 
); 
    return $provider; 
}; 

工作正常 - 在我Slim3 - 路由重定向後，我得到了所有令牌，refresh_token等

$provider = $this -> oauthprovider; 
$CODE = filter_var($_GET['code'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); 
$accessToken = $provider -> getAccessToken('authorization_code', 
    ['code' => $CODE] 
); 

... 

$existingAccessToken = $accessToken -> getToken(); 
$refreshToken = $accessToken -> getRefreshToken(); 
$expiresIn = $accessToken -> getExpires(); 
$expired = ($accessToken -> hasExpired() ? true : false); 
$client = $this -> guzzzle; 

... 

如果我嘗試刷新我的令牌在這一點 - 在同一Slim3路線 - 這是工作的罰款：

$newAccessToken = $provider -> getAccessToken('refresh_token', [ 
    'refresh_token' => $accessToken -> getRefreshToken(), 
    'grant_type' => 'refresh_token' 
]); 

但是，這不是我的目標 - 我必須在到達過期一生的時間去刷新令牌 - 1小時 - 在另一個Slim3-路線：

$accessToken = unserialize($session -> get('serialized_token')); 
$refreshToken = unserialize($session -> get('serialized_refresh_token')); 
$code = $session -> get('code'); 
$provider = $this -> oauthprovider; 
$client = $this -> guzzzle; 

... 

$req = $client -> request('POST', 
    'https://login.windows.net/common/oauth2/token', [ 
    'form_params' => [ 
    'accept' => 'application/json', 
    'grant_type'=> 'refresh_token', 
    'client_id' => getenv('ENV_CLIENT_ID'), 
    'client_secret' => getenv('ENV_CLIENT_SECRET'), 
    'refresh_token' => (string) $refreshToken, 
    'redirect_uri' => getenv('ENV_REDIRECT_URL') 
    ] 
]); 

的迴應：

Client error: POST https://login.windows.net/common/oauth2/token resulted in a 400 Bad Request response: {"error":"invalid_grant","error_description":"AADSTS70000: Transmission data parser failure: Refresh Token is malformed (truncated...)

刷新令牌是完全一樣，我在我的初始請求了。

任何有oauth-client/guzzle/Microsoft Graph的經驗 - 我的錯誤在哪？

Answer 1

由於您使用的V2端點，您POST應該是https://login.microsoftonline.com/common/oauth2/v2.0/token和你的有效載荷應包括scope屬性：

$req = $client -> request('POST', 
    'https://login.microsoftonline.com/common/oauth2/v2.0/token', [ 
    'form_params' => [ 
     'grant_type'=> 'refresh_token', 
     'client_id' => getenv('ENV_CLIENT_ID'), 
     'client_secret' => getenv('ENV_CLIENT_SECRET'), 
     'refresh_token' => (string) $refreshToken, 
     'redirect_uri' => getenv('ENV_REDIRECT_URL'), 
     'scope' => 'offline_access user.read people.read user.read.all openid mail.send' 
    ] 
]); 

Answer 2

例如 - 如果我要求微軟圖形與我的聯賽/ oauth-客戶端和狂飲通過：

 $request = $client -> request('GET', "https://login.microsoftonline.com/common/oauth2/v2.0/token", [ 
     'form_params' => [ 
      'accept' => 'application/json', 
      'grant_type'=> 'refresh_token', 
      'client_id' => getenv('ENV_CLIENT_ID'), 
      'client_secret' => getenv('ENV_CLIENT_SECRET'), 
      'refresh_token' => (string) $refreshToken, 
      'redirect_uri' => getenv('ENV_REDIRECT_URL') 
     ] 
     ]); 

     $response = json_decode($request -> getBody() -> getContents(), true); 

     echo 'Response: '; 
     var_dump($response); 
     exit; 

響應包含以下信息：

Response: array(7) { 
    ["token_type"]=> 
    string(6) "Bearer" 
    ["scope"]=> 
    string(45) "Mail.Send People.Read User.Read User.Read.All" 
    ["expires_in"]=> 
    int(3599) 
    ["ext_expires_in"]=> 
    int(0) 
    ["access_token"]=> 
    string(1901) "...f8SQPrPFsg66q8vHLGM4Q..." 
    ["refresh_token"]=> 
    string(847) "...cEksGS9XfHIqTH2LUYL..." 
    ["id_token"]=> 
    string(928) "...KKWAUtlyS0p5rDWILr..." 
} 

有了這些信息，我可以續訂我的應用程序令牌和刷新令牌，並繼續請求Microsoft-Graph端點。

謝謝Marc！大！