资源“此处的GUID值"不存在，或者其查询的参考属性对象之一不存在 [英] Resource 'GUID value here' does not exist or one of its queried reference-property objects are not present

问题描述

我正在尝试更改Azure AD用户密码.

I'm trying to change an Azure AD user password.

已经使用隐式流和adal库在 SPA 应用程序中对用户进行了身份验证.

The user is already authenticated in a SPA application using the implicit flow and the adal library.

调用时:

return await graphClient.Me.Request().UpdateAsync(new User
                {
                    PasswordProfile = new PasswordProfile
                    {
                        Password = userPasswordModel.NewPassword,
                        ForceChangePasswordNextSignIn = false
                    },
                });

我遇到此异常:

{代码:Request_ResourceNotFound \ r \ n消息:资源 '35239a3d-67e3-4560-920a-2e9ce027aeab'不存在或其中之一 查询的参考属性对象不存在.\ r \ n \ r \ n内部 错误\ r \ n}

{"Code: Request_ResourceNotFound\r\nMessage: Resource '35239a3d-67e3-4560-920a-2e9ce027aeab' does not exist or one of its queried reference-property objects are not present.\r\n\r\nInner error\r\n"}

调试通过Microsoft Client SDK获得的访问令牌，我看到此 GUID 指的是oid和sub属性.见下文:

Debugging the access token I got with Microsoft Client SDK I see that this GUID is referring to the oid and sub properties. See below:

这是我用来获取令牌的代码:

This is the code I use to acquire the token:

 IConfidentialClientApplication clientApp =
     ConfidentialClientApplicationBuilder.Create(Startup.clientId)
            .WithAuthority(string.Format(AuthorityFormat, Startup.tenant))
            .WithRedirectUri(Startup.redirectUri)
            .WithClientSecret(Startup.clientSecret)
            .Build();

            var authResult = await clientApp.AcquireTokenForClient(new[] { MSGraphScope }).ExecuteAsync();

            return authResult.AccessToken;

我正在 SPA 应用程序中使用隐式流程.在执行ClaimsPrincipal.Current时，我看到我的用户已通过身份验证，并且所有声明都存在.

I'm using the implicit flow in a SPA application. While doing ClaimsPrincipal.Current I see that my user is authenticated and all claims are present.

我已经阅读了很多@GitHub和Microsoft Docs的文档，但是我仍然不清楚如何实现它. 顺便说一下，我正在使用以下Microsoft Graph软件包:

I've read a lot of docs @ GitHub and Microsoft Docs but it's still not clear in my mind how to implement this. By the way, I'm using these Microsoft Graph packages:

  <package id="Microsoft.Graph" version="1.15.0" targetFramework="net461" />
  <package id="Microsoft.Graph.Auth" version="0.1.0-preview.2" targetFramework="net461" />
  <package id="Microsoft.Graph.Core" version="1.15.0" targetFramework="net461" />

我想我并没有采取这种矫正措施，因为与其为应用程序获取令牌，不如为用户获取令牌.我应该改用clientApp.AcquireTokenOnBehalfOf吗?

I guess I'm not approaching this correclty because instead of acquiring a token for the application I should acquire a token for the user. Should I use clientApp.AcquireTokenOnBehalfOf instead?

如果是，建议使用Microsoft Graph API SDK为当前登录用户获取令牌的推荐方法是什么?

If so what's the recommended way of acquiring a token for the currently logged in user using Microsoft Graph API SDK?

你能阐明一些想法吗?

###### 编辑 #######

使用此功能，我可以取得一些进步:

I was able to make some progress using this:

var bearerToken = ClaimsPrincipal.Current.Identities.First().BootstrapContext as string;

JwtSecurityToken jwtToken = new JwtSecurityToken(bearerToken);

var userAssertion = new UserAssertion(jwtToken.RawData, "urn:ietf:params:oauth:grant-type:jwt-bearer");

IEnumerable<string> requestedScopes = jwtToken.Audiences.Select(a => $"{a}/.default");

var authResult = clientApp.AcquireTokenOnBehalfOf(new[] { MSGraphScope }, userAssertion).ExecuteAsync().GetAwaiter().GetResult();

return authResult.AccessToken;

但是现在我得到了错误:

but now I'm getting the error:

权限不足，无法完成操作. authorization_requestdenied

insufficient privileges to complete the operation. authorization_requestdenied

推荐答案

经过长时间的调试(大约8个小时)，看到

After a long debugging session (8 hours or so) I was finally able to get what I wanted after I saw this answer by @Michael Mainer.

这是我编写的正确"代码:

This is the "right" code I put together:

public async Task<User> ChangeUserPassword(UserPasswordModel userPasswordModel)
{
    try
    {
        var graphUser = ClaimsPrincipal.Current.ToGraphUserAccount();

        var newUserInfo = new User()
        {
            PasswordProfile = new PasswordProfile
            {
                Password = userPasswordModel.NewPassword,
                ForceChangePasswordNextSignIn = false
            },
        };

        // Update the user...
        return await graphClient.Users[graphUser.ObjectId].Request().UpdateAsync(newUserInfo);
    }
    catch(Exception e)
    {
        throw e;
    }
}

注意1:使用的是graphClient.Users[graphUser.ObjectId]而不是graphClient.Me

注意2:.ToGraphUserAccount()来自Microsoft.Graph.Auth.

Note 2: .ToGraphUserAccount() is from Microsoft.Graph.Auth.

我在 Postman 中有一个示例PATCH请求，该请求正确地为用户设置了新密码.

I had a sample PATCH request in Postman that correctly set a new password for the user.

Postman的Authorization请求标头中使用的访问令牌具有与我通过Microsoft Graph API获取的格式/属性相同的格式\属性.我只是使用 jwt.io 进行了比较.所以我一定打错了电话...

The Access Token used in Postman's Authorization request-header had the same format\properties from the one I was acquiring with Microsoft Graph API. I just compared them using jwt.io. So I must've been calling something wrongly...

我改用clientApp.AcquireTokenForClient:

var authResult = await clientApp.AcquireTokenForClient(new[] { MSGraphScope }).ExecuteAsync();

return authResult.AccessToken;

其中:

MSGraphScope = "https://graph.microsoft.com/.default"

这篇关于资源“此处的GUID值"不存在，或者其查询的参考属性对象之一不存在的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！