Graph API拒绝访问，即使我已授予访问权限 [英] Graph API denies access even though I granted access

问题描述

我遵循了ASP.NET 快速入门指南，并得到了该项目正在工作.

I followed the ASP.NET Quick Start guide and got the project working.

API成功检索了我的电子邮件地址-很好.

The API succeeds in retrieving my email address just fine - great.

现在，我想获取用户列表并检索其一些属性.

Now I want to get a list of users and retrieve some of their properties.

在GraphService中:

public async Task GetUsers(GraphServiceClient graphClient)
{
    var users = await graphClient.Users.Request().Select("mail").GetAsync();
}

致电给我(复制方法以检索用户电子邮件)

Which I call with (copying the method to retrieve user email):

var graphClient = SDKHelper.GetAuthenticatedClient();

await graphService.GetUsers(graphClient);

但是我得到一个错误

{代码:Authorization_RequestDeniedMessage:权限不足，无法完成操作.内部错误}

{Code: Authorization_RequestDeniedMessage: Insufficient privileges to complete the operation.Inner error}

即使我设置了这些特权:

Even though I set these privelages:

为什么要这么困难?我正在连接到API并获得了自己的电子邮件地址，但我无能为力...

Why must this be so difficult? I am connecting to the API and getting my own email address, but I can't do anything else...

当我在Graph Explorer中运行https://graph.microsoft.com/v1.0/users时，它返回的所有用户都很好...

When I run https://graph.microsoft.com/v1.0/users in the Graph Explorer it returns all the users just fine...

请有人帮助

推荐答案

如果您指的是此示例应用程序，那么我想提及的是它获取了访问令牌，它利用了

If you are referring to this sample application, then i want to mention to acquire access token it utilizes ConfidentialClientApplication.AcquireTokenSilentAsync method which accepts as a first parameter the list of scopes requested for resource. Those scopes (delegated permissions) are specified in web.config file via ida:GraphScopes key. In another words, no matter what permissions have been granted via app registration, access token will be requested per scopes specified via ida:GraphScopes key.

话虽如此，但要使此请求有效:

Having said that, to make this request working:

public async Task<IGraphServiceUsersCollectionPage> GetUsers(GraphServiceClient graphClient)
{
   return await graphClient.Users.Request().Select("mail").GetAsync();
}

您可以在web.config中显式更新委派的权限:

you could explicitly update the delegated permissions in web.config:

<add key="ida:GraphScopes" value="User.Read User.ReadBasic.All"/>    

如何验证访问令牌

访问令牌的权限可以通过此或

The permissions for access token could be validated via this or this service. Once decoded, delegated permissions are represented via scp attribute, for example:

scp: "Files.ReadWrite Mail.Send User.Read"

这篇关于Graph API拒绝访问，即使我已授予访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！