使用Azure AD 1.0端点客户端凭据流调用Microsoft Graph API [英] Call Microsoft Graph API Using Azure AD 1.0 Endpoint Client Credentials Flow

问题描述

是否可以使用通过客户端证书OAuth 2流通过Azure Active Directory 1.0端点获得的访问令牌来访问Microsoft Graph API?

Is it possible to access the Microsoft Graph API using an access token obtained through the Azure Active Directory 1.0 Endpoint with the Client Credentials OAuth 2 flow?

例如:

POST https://login.microsoftonline.com/{mytenant}.onmicrosoft.com/oauth2/token
grant_type=client_credentials,
client_id={app id registered in azure portal},
client_secret={registered app key},
resource=https://graph.microsoft.com

当我使用此请求返回的令牌时，尝试调用 https时收到以下错误://graph.microsoft.com/v1.0/groups .

When I use the token returned from this request, I get the following error trying to call https://graph.microsoft.com/v1.0/groups.

解码后的JWT

标题

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "HHByKU-0DqAqMZh6ZFPd2VWaOtg",
  "kid": "HHByKU-0DqAqMZh6ZFPd2VWaOtg"
}

有效载荷

{
  "aud": "00000002-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/{tenant id}/",
  "iat": 1504804880,
  "nbf": 1504804880,
  "exp": 1504808780,
  "aio": "Y2FgYDiiO8/s3smXRdxLg87zBPRNAwA=",
  "appid": "{client id}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenant id}/",
  "oid": "{enterprise app object id}",
  "sub": "{enterprise app object id}",
  "tenant_region_scope": "NA",
  "tid": "{tenant id}",
  "uti": "uIzrJNpHcEGXoQ4ZKZgqAA",
  "ver": "1.0"
}

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure.",
    "innerError": {
      "request-id": "3537d28e-a061-4430-aef5-4a75bf791d90",
      "date": "2017-09-07T16:38:26"
    }
  }
}

我已经确保该应用程序具有通过门户分配的正确权限.在必需的权限">应用程序权限"下，选择读取和写入所有组".

I've ensured the application has the correct permissions assigned through the portal. Under Required Permissions > Application Permissions, "Read and write all groups" is selected.

Azure门户权限

有什么我想念的东西吗?

Is there anything I'm missing or is this not possible?

推荐答案

在您的JWT令牌中，受众群体值(aud)是错误的.

In your JWT token, the Audience Value (aud) is wrong.

如果您尝试调用https://graph.microsoft.com或其中的任何API，则需要具有aud声明为https://graph.microsoft.com或00000003-0000-0000-c000-000000000000的令牌.

If you are trying to call https://graph.microsoft.com or any of it's APIs, you need a token with the aud claim of https://graph.microsoft.com or 00000003-0000-0000-c000-000000000000.

您拥有的令牌用于AAD Graph API，又称为https://graph.windows.net 00000002-0000-0000-c000-000000000000

The token you have is for the AAD Graph API, https://graph.windows.net a.k.a. 00000002-0000-0000-c000-000000000000

虽然这两个资源在URL和GUID形式上看起来都相似，但它们是完全独立的标识.您应该在整个代码中确认获取访问令牌时正在指定正确的资源值.上面的小样本表明您做的正确，但是令牌表明您做的不正确.

While these two resources look similar in both URL and GUID form, they are completely separate identities. You should confirm throughout your code that you are specifying the correct resource value when retrieving your access token. Your small sample above implies that you are doing it correct, but the token shows that you are not.

这篇关于使用Azure AD 1.0端点客户端凭据流调用Microsoft Graph API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！