在哪里可以找到Microsoft App的APP ID URI? [英] Where can I find APP ID URI for Microsoft App?
问题描述
我正在尝试使用已注册的应用程序登录,并具有以下授予的权限: Azure门户>应用程序注册>应用程序注册(预览)>我的应用程序名称-API权限
I am trying to log in as my registered app, with the permissions granted on: Azure Portal > App registrations > App registrations (Preview) > My App Name - API permissions
根据此文档,我必须通过请求令牌时,作用域参数中的我的资源标识符(APP ID URI).我敢肯定,这个范围参数是导致我出现问题的那个参数.
According to this documentation, I have to pass my resource identifier (APP ID URI) in the scope parameter when requesting a token. I am certain that this scope parameter is the one causing me problems.
我尝试了示波器的不同参数.
I have tried different parameters of the scope.
-
https://graph.microsoft.com/.default:这适用于基本功能,例如阅读日历,但我认为默认权限很少满足我的需要.既然可以,我相信我的其他参数是正确的,范围就是问题.
https://graph.microsoft.com/.default: This works for basic functions, like reading the calendar but I believe that the default permissions are very little for my needs. Since this works, I believe my other parameters are correct, and the scope is the problem.
[APP-ID]/.default:这给了我一个成功的响应,但是,每当我尝试发出任何请求(包括基本的读取日历请求)时,都会得到InvalidAuthenticationToken.我可以向您保证,我将传递从令牌请求中检索到的正确令牌.
[APP-ID]/.default: This gives me a successful response, however, whenever I try to make any request, including the basic read calendar request, I get InvalidAuthenticationToken. I can assure you that I am passing the correct token retrieved from the token request.
基于在线建议的多个不同的URL组合. 他们都返回
Multiple different URL combinations based on online suggestions. All of them return
在租户{id}中找不到资源主体{resource-url}.
"The resource principal {resource-url} was not found in tenant {id}.
我坚信问题是我没有为我的应用程序传递正确的APP ID URI.谁能告诉我在哪里可以找到此资源?我在网上搜索的所有内容都有2年以上的历史了,对于新的Azure门户来说似乎并不相同.
I strongly believe the problem is that I am not passing the correct APP ID URI for my application. Can anyone tell me where I can find this resource? Everything I have searched online is 2+ years old and does not seem to be the same for the new Azure portal.
推荐答案
对于客户端凭据(即在没有用户的情况下获取令牌),您需要传递https://graph.microsoft.com/.default作为您的scope.
For Client Credentials (i.e. getting a token without a user), you need to pass https://graph.microsoft.com/.default as your scope.
https://graph.microsoft.com/.default提供的权限是您在门户网站中注册应用程序时指定的应用程序权限":
The permissions https://graph.microsoft.com/.default provides are the "Application permissions" you specified when registering the application in the portal:
一旦添加了应用程序所需的所有应用程序权限",就需要为租户中的这些范围授予许可"(这是"API权限"标签底部的按钮.
Once you've added all the "Application permissions" you need for your application, you need to "Grant consent" for those scopes in your tenant (this is the button at the bottom of the API permissions tab.
一旦设置好这些,就需要向/token端点发出POST(换行符只是为了便于阅读,应该是单个字符串):
Once you have these in place, you need issue a POST to the /token endpoint (line-breaks are just for readability, this should be a single string):
POST https://login.microsoftonline.com/{{tenantDomain}}/oauth2/token
Content-Type: application/x-www-form-urlencoded
client_id={your-app-id}
&scope=https://graph.microsoft.com/.default
&client_secret={your-client-secret}
&grant_type=client_credentials
这将为您返回类似的内容:
This will return you something like this:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1554431330",
"not_before": "1554427430",
"resource": "00000003-0000-0000-c000-000000000000",
"access_token": "eyJ0eXAiOiJKV1QiLCJub25jZS..."
}
调用Graph时,需要将Authorization标头设置为token_type access_token.因此,调用/users看起来像这样:
When you call into Graph you need to set the Authorization header to token_type access_token. So calling /users would look like this:
GET https://graph.microsoft.com/v1.0/users
Authorization:"Bearer eyJ0eXAiOiJKV1QiLCJub25jZS..."
Host:"graph.microsoft.com"
Accept:"application/json"
这篇关于在哪里可以找到Microsoft App的APP ID URI?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
