Graph API拒绝访问,即使我已授予访问权限 [英] Graph API denies access even though I granted access
问题描述
我遵循了ASP.NET 快速入门指南,并得到了该项目正在工作.
I followed the ASP.NET Quick Start guide and got the project working.
API成功检索了我的电子邮件地址-很好.
The API succeeds in retrieving my email address just fine - great.
现在,我想获取用户列表并检索其一些属性.
Now I want to get a list of users and retrieve some of their properties.
在GraphService
中:
public async Task GetUsers(GraphServiceClient graphClient)
{
var users = await graphClient.Users.Request().Select("mail").GetAsync();
}
致电给我(复制方法以检索用户电子邮件)
Which I call with (copying the method to retrieve user email):
var graphClient = SDKHelper.GetAuthenticatedClient();
await graphService.GetUsers(graphClient);
但是我得到一个错误
{代码:Authorization_RequestDeniedMessage:权限不足,无法完成操作.内部错误}
{Code: Authorization_RequestDeniedMessage: Insufficient privileges to complete the operation.Inner error}
即使我设置了这些特权:
Even though I set these privelages:
为什么要这么困难?我正在连接到API并获得了自己的电子邮件地址,但我无能为力...
Why must this be so difficult? I am connecting to the API and getting my own email address, but I can't do anything else...
当我在Graph Explorer中运行https://graph.microsoft.com/v1.0/users
时,它返回的所有用户都很好...
When I run https://graph.microsoft.com/v1.0/users
in the Graph Explorer it returns all the users just fine...
请有人帮助
推荐答案
如果您指的是此示例应用程序,那么我想提及的是它获取了访问令牌,它利用了 web.config
文件,通过ida:GraphScopes
键.换句话说,无论通过应用程序注册授予了什么权限,都将通过ida:GraphScopes
键指定的范围请求访问令牌.
If you are referring to this sample application, then i want to mention to acquire access token it utilizes ConfidentialClientApplication.AcquireTokenSilentAsync
method which accepts as a first parameter the list of scopes requested for resource. Those scopes (delegated permissions) are specified in web.config
file via ida:GraphScopes
key. In another words, no matter what permissions have been granted via app registration, access token will be requested per scopes specified via ida:GraphScopes
key.
话虽如此,但要使此请求有效:
Having said that, to make this request working:
public async Task<IGraphServiceUsersCollectionPage> GetUsers(GraphServiceClient graphClient)
{
return await graphClient.Users.Request().Select("mail").GetAsync();
}
您可以在web.config中显式更新委派的权限:
you could explicitly update the delegated permissions in web.config:
<add key="ida:GraphScopes" value="User.Read User.ReadBasic.All"/>
如何验证访问令牌
访问令牌的权限可以通过此或
The permissions for access token could be validated via this or this service. Once decoded, delegated permissions are represented via scp
attribute, for example:
scp: "Files.ReadWrite Mail.Send User.Read"
这篇关于Graph API拒绝访问,即使我已授予访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!