Microsoft图形其余API Beta:Azure ad b2c中api创建的应用程序无效 [英] microsoft graph rest api beta: application created by api in azure ad b2c is not valid
问题描述
我正在按照以下文档尝试使用Beta API创建广告应用程序: >: //docs.microsoft.com/zh-CN/graph/api/application-post-applications?view=graph-rest-beta&stabs=http
i'm trying to create ad application using beta api by following this document: https://docs.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-beta&tabs=http
可以按预期在Azure AD B2C(不是 Azure Active Directory)中成功创建应用程序.问题是当我尝试从门户网站打开此应用程序时,页面只会继续加载,而应用程序信息却从不显示.我可以看到浏览器开发工具出现了错误:
the application can be successfully created in Azure AD B2C (not Azure Active Directory) as expected. the issue is when i'm trying to open this app from portal, the page just keeps loading while the app information never shows. i can see there's an error from browser dev tool:
The following request returns 404 error: https://main.b2cadmin.ext.azure.com/api/ApplicationV2/GetApplication?tenantId=mytestb2ctenant.onmicrosoft.com&applicationId=560df329-47f5-497b-a1d3-08e9e8208062
我可以验证applicationId确实是我新创建的广告应用的appid.不知道为什么会得到notfound错误.
I can verify the applicationId is indeed the appid of my newly created ad app. not sure why getting the notfound error.
然后,我在b2c广告中手动创建了另一个应用.我比较了从 get-application rest api.唯一的区别是手动创建的一个具有默认的 user_impersonation API范围,而另一个则没有.也许这会导致错误.
Then I manually created another app in my b2c ad. I compared the returned schema from get-application rest api for these two apps. the only difference is the manually created one has a default user_impersonation api scope, while other one does not. maybe this causes the error.
这是我创建广告应用程序的完整powershell脚本:
here's my complete powershell script to created ad app:
$b2cDomain = "mytestb2ctenant.onmicrosoft.com"
$applications = "https://graph.microsoft.com/beta/applications"
$headers = @{
"Authorization" = $accessToken;
}
@app = "mytestapp"
$request = @{
displayName = $app
identifierUris = @("https://$b2cDomain/api")
signInAudience = "AzureADandPersonalMicrosoftAccount"
web = @{
redirectUris = @("https://any.valid.url")
implicitGrantSettings = @{
enableIdTokenIssuance = $false
enableAccessTokenIssuance = $true
}
}
isFallbackPublicClient= $false
}
$body = $request | ConvertTo-Json
Log "creating ad app: $app"
$appResponse = Invoke-RestMethod `
-Uri $applications `
-Method Post `
-Headers $headers `
-ContentType "application/json" `
-Body $body
我是否错过了请求架构的任何内容?就像手动创建一样,如何从rest api创建有效的应用程序?
推荐答案
请记住不要在生产中使用Microsoft Graph beta API,因为它们可能会发生变化.
Please remember not to use Microsoft Graph beta apis in production since they are subject to change.
对于要在AAD B2C中成功运行的应用程序(获取令牌),它具有以下要求
For an application to successfully work in AAD B2C(get a token), it has following requirements
- 服务负责人
- 同意openid和offline_access作用域 租户中的Microsoft Graph服务主体
- A service principal
- Consent to openid and offline_access scope on Microsoft Graph service principal in the tenant
服务主体api现在处于Beta中. OAuth2Permissions api 是也在beta中.
The service principal apis are in Beta right now. The OAuth2Permissions api are in beta as well.
算法是
- 使用应用程序api创建应用程序
- 创建服务主体(使其称为clientSP).
- 使用服务主体api在租户中查找与Microsoft Graph应用程序(AppId#00000003-0000-0000-c000-000000000000)对应的服务主体.该服务主体始终由Azure AD在目录中创建,因此您只需要搜索它即可.让我们称之为ResourceSP
- 使用OAUTH2Permissions api在openSP和offline_access范围的ResourceSP上创建并授予对clientSP的同意.
- Create an app using application api
- Create a Service principal for it (lets call it clientSP).
- Find service principal corresponding to Microsoft Graph app (AppId # 00000003-0000-0000-c000-000000000000) in tenant using service principal apis. This service principal is always created by Azure AD in the directory so you just need to search for it. Lets call is ResourceSP
- Use OAUTH2Permissions api to create and grant consent to clientSP on ResourceSP for openid and offline_access scopes.
此处的示例应有所帮助- https://github.com/valnav /Azure-AD-B2C-App-Graph .
The sample here should help - https://github.com/valnav/Azure-AD-B2C-App-Graph.
这篇关于Microsoft图形其余API Beta:Azure ad b2c中api创建的应用程序无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
