Azure OAuth2 客户端凭据流程 - 获取多个范围的 token 会引发错误

Question

当使用 MSAL 库为后台控制台应用程序生成访问 token (使用 client_credentials)来调用两个 REST 终结点时，获取 token 调用将创建为:

client_id=XXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-ClientServices%2F.default+api%3A%2F%2FMyService-DevBlr-CoreServices%2F.default&grant_type=client_credentials

并发布到

https://login.microsoftonline.com/a1326aec-378e-4433-8e2a-67a086554fc8/oauth2/v2.0/token

响应是 400 错误:

{"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope api://MyService-DevBlr-ClientServices/.default api://MyService-DevBlr-CoreServices/.default is not valid.\r\nTrace ID: 203ad632-5e7c-4e61-9dcd-185eb9b49200\r\nCorrelation ID: 99fd979a-2c11-485b-ba14-c0cad3312e02\r\nTimestamp: 2020-01-11 08:36:29Z","error_codes":[70011],"timestamp":"2020-01-11 08:36:29Z","trace_id":"203ad632-5e7c-4e61-9dcd-185eb9b49200","correlation_id":"99fd979a-2c11-485b-ba14-c0cad3312e02"}

当传入各个范围时，调用可以正常工作:

Request:
client_id=XXXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-CoreServices%2F.default&grant_type=client_credentials 

Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0e..."}

和

Request: 
client_id=XXXX&client_info=1&client_secret=XXXX&scope=api%3A%2F%2FMyService-DevBlr-ClientServices%2F.default&grant_type=client_credentials

Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eX..."}

文档和 API 支持范围数组: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-credential-flows#code-snippet

将单个 token 用于多个服务调用是有好处的，但我似乎无法让它工作。如有任何建议，我们将不胜感激。

Answer 1

当您获取访问 token 时，您只能指定一个 API 的范围。在我看来，您正在尝试获取具有 2 个 API 权限的 token 。这是不可能的。

访问 token 始终仅包含对一个 API 的权限。因此您必须单独请求它们。

这是因为 token 具有受众 (aud) 声明，该声明标识了它所针对的 API。它不能有两个值。