Microsoft-Graph刷新令牌请求失败... AADSTS70000

Question

我在使用Microsoft Graph的Slim3 WebApp中使用联盟/ oauth客户端，并且我无法通过给定刷新令牌成功请求新令牌...

这是联盟/ OAuth的客户我二容器：

$container['oauthprovider'] = function() 
{ 
    $provider = new \League\OAuth2\Client\Provider\GenericProvider(
    [ 
     'clientId' => getenv('ENV_CLIENT_ID'), 
     'clientSecret' => getenv('ENV_CLIENT_SECRET'), 
     'redirectUri' => getenv('ENV_REDIRECT_URL'), 
     'urlAuthorize' => getenv('ENV_AUTHORIZE_URL'), 
     'urlAccessToken' => getenv('ENV_URL_ACCESS_TOKEN'), 
     'urlResourceOwnerDetails' => '', 
     'scopes' => 'offline_access user.read people.read user.read.all openid mail.send' 
    ] 
); 
    return $provider; 
}; 

工作正常 - 在我Slim3 - 路由重定向后，我得到了所有令牌，refresh_token等

$provider = $this -> oauthprovider; 
$CODE = filter_var($_GET['code'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); 
$accessToken = $provider -> getAccessToken('authorization_code', 
    ['code' => $CODE] 
); 

... 

$existingAccessToken = $accessToken -> getToken(); 
$refreshToken = $accessToken -> getRefreshToken(); 
$expiresIn = $accessToken -> getExpires(); 
$expired = ($accessToken -> hasExpired() ? true : false); 
$client = $this -> guzzzle; 

... 

如果我尝试刷新我的令牌在这一点 - 在同一Slim3路线 - 这是工作的罚款：

$newAccessToken = $provider -> getAccessToken('refresh_token', [ 
    'refresh_token' => $accessToken -> getRefreshToken(), 
    'grant_type' => 'refresh_token' 
]); 

但是，这不是我的目标 - 我必须在到达过期一生的时间去刷新令牌 - 1小时 - 在另一个Slim3-路线：

$accessToken = unserialize($session -> get('serialized_token')); 
$refreshToken = unserialize($session -> get('serialized_refresh_token')); 
$code = $session -> get('code'); 
$provider = $this -> oauthprovider; 
$client = $this -> guzzzle; 

... 

$req = $client -> request('POST', 
    'https://login.windows.net/common/oauth2/token', [ 
    'form_params' => [ 
    'accept' => 'application/json', 
    'grant_type'=> 'refresh_token', 
    'client_id' => getenv('ENV_CLIENT_ID'), 
    'client_secret' => getenv('ENV_CLIENT_SECRET'), 
    'refresh_token' => (string) $refreshToken, 
    'redirect_uri' => getenv('ENV_REDIRECT_URL') 
    ] 
]); 

的回应：

Client error: POST https://login.windows.net/common/oauth2/token resulted in a 400 Bad Request response: {"error":"invalid_grant","error_description":"AADSTS70000: Transmission data parser failure: Refresh Token is malformed (truncated...)

刷新令牌是完全一样，我在我的初始请求了。

任何有oauth-client/guzzle/Microsoft Graph的经验 - 我的错误在哪？

Answer 1

由于您使用的V2端点，您POST应该是https://login.microsoftonline.com/common/oauth2/v2.0/token和你的有效载荷应包括scope属性：

$req = $client -> request('POST', 
    'https://login.microsoftonline.com/common/oauth2/v2.0/token', [ 
    'form_params' => [ 
     'grant_type'=> 'refresh_token', 
     'client_id' => getenv('ENV_CLIENT_ID'), 
     'client_secret' => getenv('ENV_CLIENT_SECRET'), 
     'refresh_token' => (string) $refreshToken, 
     'redirect_uri' => getenv('ENV_REDIRECT_URL'), 
     'scope' => 'offline_access user.read people.read user.read.all openid mail.send' 
    ] 
]); 

Answer 2

例如 - 如果我要求微软图形与我的联赛/ oauth-客户端和狂饮通过：

 $request = $client -> request('GET', "https://login.microsoftonline.com/common/oauth2/v2.0/token", [ 
     'form_params' => [ 
      'accept' => 'application/json', 
      'grant_type'=> 'refresh_token', 
      'client_id' => getenv('ENV_CLIENT_ID'), 
      'client_secret' => getenv('ENV_CLIENT_SECRET'), 
      'refresh_token' => (string) $refreshToken, 
      'redirect_uri' => getenv('ENV_REDIRECT_URL') 
     ] 
     ]); 

     $response = json_decode($request -> getBody() -> getContents(), true); 

     echo 'Response: '; 
     var_dump($response); 
     exit; 

响应包含以下信息：

Response: array(7) { 
    ["token_type"]=> 
    string(6) "Bearer" 
    ["scope"]=> 
    string(45) "Mail.Send People.Read User.Read User.Read.All" 
    ["expires_in"]=> 
    int(3599) 
    ["ext_expires_in"]=> 
    int(0) 
    ["access_token"]=> 
    string(1901) "...f8SQPrPFsg66q8vHLGM4Q..." 
    ["refresh_token"]=> 
    string(847) "...cEksGS9XfHIqTH2LUYL..." 
    ["id_token"]=> 
    string(928) "...KKWAUtlyS0p5rDWILr..." 
} 

有了这些信息，我可以续订我的应用程序令牌和刷新令牌，并继续请求Microsoft-Graph端点。

谢谢Marc！大！