如何使用具有客户端授权的Microsoft.Graph而不获取401 [英] How to use Microsoft.Graph with client authorization and not get a 401
问题描述
我们有
- 创建了Azure Active Directory
- 创建了一个新应用程序
- 在Azure AD中注册新的应用程序
- 已授予API的所有权限
- 授予的管理员权限
现在我们使用此应用程序凭据登录
Now we login with this app credentials
我们获得授权:
GET /1111111-aaaa-4fd3-bf32-9bfc460f67b1/oauth2/v2.0/authorize HTTP/1.1
Host: login.microsoftonline.com
cache-control: no-cache
Postman-Token: 111111-aaaa-4696-9828-9110670706c5
我们获得了令牌:
POST /11111111-aaaa-4fd3-bf32-9bfc460f67b1/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 11111111-aaaa-47e4-b2fb-6b94cd02312a
client_id=11111111-aaaa-482e-ab17-86e4c2c6240c
scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
client_secret=aaaaaaaaaaaDJk6jBJ%2FuBRJM6AFxyFIDMKn867hmvU%3D
grant_type=client_credentials
使用jwt.io分析的令牌:
The token analyzed with jwt.io:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/1111111-ccc6-4fd3-bf32-9bfc460f67b1/",
"iat": 1541603660,
"nbf": 1541603660,
"exp": 1541607560,
"aio": "42RgYFB+/Gyh8uF3yl+uKU7km//kFwA=",
"app_displayname": "ToDoListService",
"appid": "1111111-4e99-482e-ab17-86e4c2c6240c",
"appidacr": "1",
"idp": "https://sts.windows.net/1111111-ccc6-4fd3-bf32-9bfc460f67b1/",
"oid": "1111111-98fb-4a47-af7f-d3800dde2f7b",
"roles": [
"Chat.UpdatePolicyViolation.All",
"Calls.JoinGroupCall.All",
"EduRoster.Read.All",
"OnlineMeetings.Read.All",
"Mail.ReadWrite",
"OnlineMeetings.ReadWrite.All",
"Device.ReadWrite.All",
"User.ReadWrite.All",
"Domain.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"SecurityEvents.Read.All",
"Calendars.Read",
"EduAssignments.ReadWrite.All",
"People.Read.All",
"Application.ReadWrite.All",
"Calls.InitiateGroupCall.All",
"Group.Read.All",
"Directory.ReadWrite.All",
"EduAssignments.ReadWriteBasic.All",
"MailboxSettings.Read",
"EduAdministration.Read.All",
"Calls.JoinGroupCallAsGuest.All",
"Sites.Read.All",
"Sites.ReadWrite.All",
"Contacts.ReadWrite",
"Group.ReadWrite.All",
"Sites.Manage.All",
"SecurityEvents.ReadWrite.All",
"Notes.Read.All",
"User.Invite.All",
"EduRoster.ReadWrite.All",
"Files.ReadWrite.All",
"Directory.Read.All",
"User.Read.All",
"EduAssignments.ReadBasic.All",
"EduRoster.ReadBasic.All",
"Files.Read.All",
"Mail.Read",
"Chat.Read.All",
"ChannelMessage.Read.All",
"EduAssignments.Read.All",
"Calendars.ReadWrite",
"identityriskyuser.read.all",
"EduAdministration.ReadWrite.All",
"Mail.Send",
"ChannelMessage.UpdatePolicyViolation.All",
"MailboxSettings.ReadWrite",
"Contacts.Read",
"IdentityRiskEvent.Read.All",
"AuditLog.Read.All",
"Member.Read.Hidden",
"Calls.AccessMedia.All",
"Sites.FullControl.All",
"Reports.Read.All",
"Calls.Initiate.All",
"Notes.ReadWrite.All"
],
"sub": "1111111-98fb-4a47-af7f-d3800dde2f7b",
"tid": "1111111-ccc6-4fd3-bf32-9bfc460f67b1",
"uti": "hxPwbjRRm0y6SI8hxuckAA",
"ver": "1.0",
"xms_tcdt": 1541414851
}
您可以看到我们获得了所有必要的权限.
You can see that we get all the necesary permissions.
此请愿书有效
https://graph.microsoft.com/v1.0/Users/
或
https://graph.microsoft.com/beta/Users/
但不是这个:
https://graph.microsoft.com/beta/Users/<user-id>/Calendars
也不是这个
https://graph.microsoft.com/beta/users/<user-id>/sendMail
它们都返回401:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "019ddc83-6528-4f19-95cc-8b99ea53a046",
"date": "2018-11-07T16:03:55"
}
}
}
我认为我们已经获得了所有必要的权限,配置...等...为什么它不起作用? :'(
I think that we had got all the necessary permission, configuration... etc... so why isn't it working? :'(
[更新]
获取日历的详细通话
GET /v1.0/Users/<user-id>/Calendars HTTP/1.1
cache-control: no-cache
Postman-Token: xxxxxxxxxxxxxxxxxxxxxxx
Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-Agent: PostmanRuntime/7.3.0
Accept: */*
Host: graph.microsoft.com
accept-encoding: gzip, deflate
Connection: close
响应
HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
request-id: 11111111-aaaa-aaaa-a115-e09bb6f09917
client-request-id: 11111111-aaaa-aaaa-a115-e09bb6f09917
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"SliceC","Ring":"3","ScaleUnit":"001","Host":"AGSFE_IN_34","ADSiteName":"NEU"}}
Duration: 377.0084
Strict-Transport-Security: max-age=31536000
Date: Thu, 08 Nov 2018 09:16:03 GMT
Connection: close
c6
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "2bb9a7c1-f8a3-4c1f-a115-e09bb6f09917",
"date": "2018-11-08T09:16:04"
}
}
}
0
推荐答案
首先让我注意到您已经在公共论坛上发布了客户机密:)还有一个对您的租户有豪华权限的人.我希望您现在已经更改了客户机密.
let me start by first of all noticing that you have posted a client secret on a public forum :) And one that has luxurious permission on your tenant. I hope you have changed the client secret by now.
但是要回到您的问题上-我将不得不再详细询问一下,以更好地了解您的实际结果:
But to get back to your question - I will have to ask a bit more in detail to get a better understanding of what your actual results were:
- 根据您的JWT打印输出,您将获得V1令牌,但使用的是客户端凭据流(字段"ver"设置为1.0).此处的Microsoft文档在没有用户的情况下获得访问权限明确指出:您应该在这种情况下使用V2令牌访问Microsoft Graph.因此,第一个问题是:是否使用V2门户创建了Azure应用: https://apps.dev. microsoft.com/?如果不是,那么可能是问题所在.
- 手动测试时一个更常见的问题-您是否确定从/token端点获取令牌到测试API调用之前令牌都没有过期?
- 如果以上都不是-请将您的请求发布到 https://graph.microsoft. com/beta/Users//Calendars端点的详细信息,细节中可能有魔鬼
- According to your JWT printout you are getting a V1 token but using the client credential flow (the field "ver" is set to 1.0). The Microsoft Documentation here Get access without a user explicitly states that you should use a V2 Token to access Microsoft Graph in this scenario. So the first question is: Did you create your Azure App using the V2 Portal: https://apps.dev.microsoft.com/ ? If not then this may be the issue.
- A more common issue when manually testing - Have you made sure that the token had not expired from the time you got it from the /token endpoint up to the time you tested your API call?
- If none of the above - please post your request to the https://graph.microsoft.com/beta/Users//Calendars endpoint in detail, the devil may be in the details
这篇关于如何使用具有客户端授权的Microsoft.Graph而不获取401的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!