AADSTS50020: We are unable to issue tokens from th

2019-04-23 15:49发布

问题:

I'm writing a simple C# mobile application which I've registered at https://apps.dev.microsoft.com/ to access live.com/outlook.com mailboxes (not outlook 365 mbx). I'm using ADAL for authenticating using the client id and redirect URI from the registration. I'm not sure if I should be generating a password from the registration site and how I should be using the generated password. What I'm experiencing is that I get the usual prompt to authenticate, I provide my credentials, I see a token being returned (RequestSecurityTokenResponse) with my data (firstname, lastname, etc.) meaning that the authentication process was successful and yet the authentication process ends with error "AADSTS50020: We are unable to issue tokens from this api version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this."

I not sure on how to interpret the error: is the error saying I'm not using v2.0 of the protocol or is it saying I'm not calling v2.0 of their authentication endpoint.

The difficulty I'm facing is that Microsoft has changed so many times protocols and interfaces and has mixed up live.com/outlook.com and azure/office365 that in the end I don't know what I should be providing as the authority url and the resource uri to access live.com/outlook.com mailboxes.

What I noticed is that apart the authentication UI I'm not getting the UI where I should be authorizing the application to act on my behalf.

Below is the outgoing request with the smtp address obfuscated.

https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIARWPsU7CQABAubaQghqRaIIbAy6aa3uFttwlDmog0gEGXSQu19JCY8thbcU4ObjLBzg5OpjoYAyf4MRiYtg00RhmTRzF5SVvey8zV5JQScISQqqeA2idRxIiRYoMS8cUQ8VANixj14HUxSp0DAuXKmXVsh0tzGWyaDi_ix-FndGH_zZprV09ATAG4AuACw5MuMXmVhx11X-w0Dt3plzSZx2vd8sXu1HUPyGyzOLIZ-xIYq7r2Y5ks0AOqOdLoUPbD3xq5gHrjfiihjVLN7QStPU2hmWDupAirQJtza5gRbeo5rZfeTAWwFRYEfnsQj5d-BQVnohiKsvlE4XErwBukrPk7aX3-7vD5eblwc_1y_d-4jkp980qik_7x11crwaBKesmrQ-qhhm2VKaE-2Fto7XXsNBZo9bZRAQNU2CUXo3DHvGcyCWDDmF0tkhUSSGMWX81&wfresh=0&id=&pcexp=false&username=xyz%40hotmail.com&popupui=1&contextid=70F2DEC5506FD639&bk=1491815919&uaid=480c9031b6394304bae56ce1da5a258f&pid=0

Here is the code I've used:

string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";

PlatformParameters authParms = new PlatformParameters(PromptBehavior.Always, null);

AuthenticationContext authContext = new AuthenticationContext(authority, TokenCache.DefaultShared);

AuthenticationResult result = await authContext.AcquireTokenAsync(
    "https://outlook.office.com/mail.read",
    clientId,
    new Uri(redirectUri),
    authParms);

回答1:

There are three things here:

  1. Applications created with the https://apps.dev.microsoft.com web site target the AAD v2.0 endpoint, not the v1.0 endpoint (those are different versions of the protocol)

  2. The V2.0 endpoint is not supported by ADAL. It is supported by MSAL. However the development of MSAL is in progress, so I don't think that you can quite use it yet (you should be able to, in a few weeks, and even then I don't think it will be GA)

  3. Authenticating with MSA Accounts directly is supported from the V2.0 endpoint and therefore MSAL, not with ADAL. ADAL only supports ADFS and AAD

I understand that you want to authenticate with MSA accounts (live), and therefore you need to use MSA. I would advise you wait a bit, if you can

Note: This is a bit subtle, but you can also have AAD guest accounts which are MSA accounts in an Azure Active Directory (you create a user with an existing email addresses, which could be an MSA). That is supported by the V1.0 endpoint - and therefore ADAL, but you have to create users with these email addresses in the AAD tenant, which is probably not what you want. And also there are flows where MSAs won't work (for instance when a user authenticate to use a web service which itself uses a web service: the on-behalf-of flow), so I would not recommend this option.