没有用户委派时如何使用OAuth? -Microsoft Graph API [英] How to use OAuth when there is no user delegation? -- Microsoft Graph API
问题描述
我正在尝试使用Microsoft Graph API来获取有关Azure AD中特定组中的用户的一些信息.我需要将数据作为数据仓库的ETL任务的一部分来获取.当从其他云应用程序中提取数据时,我已经获得了一个API密钥,并将该密钥放置在Authorization标头中.
I am trying to use the Microsoft Graph API to get some information about users in a particular group in Azure AD. I need to get the data as part of an ETL task of a data warehouse. When pulling data from other cloud applications, I have gotten an API key and placed the key in the Authorization header.
OAuth对我来说是陌生的(除了作为用户经历过之外),我觉得我很了解这个概念,但是我确信有些事情我没有正确掌握.
OAuth is new to me (except having experienced it as a user) and I feel like I understand the concept but I am sure there are things that I am not grasping properly.
问题:
我在对 http://graph.microsoft.com/的GET请求中收到401错误v1.0/groups 使用我收到的访问令牌时.
I get a 401 error on GET requests to http://graph.microsoft.com/v1.0/groups when using the access token that I have received.
已采取的步骤:
- 显然,我必须注册一个应用程序-即使我真的不是要在此处构建应用程序-所以我是在apps.dev.microsoft.com的注册门户上注册的.
-
我授予了Microsoft Graph权限(请注意,我是管理员)
- Apparently I have to register an app -- even though I'm really not trying to build an app here -- so I did so on the registration portal at apps.dev.microsoft.com
I granted Microsoft Graph Permissions (Note that I am an Admin)
我尝试使用Powershell来测试数据的提取,如以下代码所示:
I tried using Powershell to test pulling of the data as seen in the code below:
$ uri =" https://login.microsoftonline .com/7b ... 3h/oauth2/v2.0/token "
$body = @{ tenant="7b...3h"
client_id="12...67"
scope="https://graph.microsoft.com/.default"
client_secret="3g...x4"
grant_type="client_credentials"}
$token = Invoke-RestMethod -Uri $uri -Body $body -Method "Post"
$header = @{ Authorization="Bearer " + $token.access_token}
$groups_uri = "https://graph.microsoft.com/v1.0/groups"
$response = Invoke-RestMethod -Uri $groups_uri -Headers $header
我收到令牌,但是当我尝试执行GET请求时,收到401错误.
I receive a token but when I try to do GET request, I receive a 401 error.
我的想法
我感觉需要更改范围,但是当我将范围更改为"Groups.Read.All"时,我收到一条消息,指出它不是有效的范围.我不太确定下一步要去哪里.我读到的有关OAuth的所有内容都是关于委派用户权限的,这不是我要尝试做的事情.我只想通过服务定期提取一些数据.
I feel like the scope needs to be changed but when I change to scope to 'Groups.Read.All', I get a message that it is not a valid scope. I'm not really sure where to go next. Everything I read about OAuth is about delegating the permissions of a user which is not what I'm trying to do. I just want to periodically pull some data with a service.
推荐答案
The Get access without a user article seems to align with your scenario -- perhaps compare the information in that article with what you're doing, to determine if there's a disconnect somewhere?
鉴于您收到401错误(未经授权),我怀疑管理员未明确同意您要执行的操作对您的应用程序的同意.在我上面链接的文章中,请参阅 3部分.获取管理员同意,以获取有关如何获得管理员同意的详细信息.
Given that you're receiving a 401 error (unauthorized), I'd suspect that perhaps your application hasn't explicitly been granted consent by an Administrator for the action(s) you're trying to perform. In the article that I've linked to above, see section 3. Get administrator consent for details about how to get admin consent.
这篇关于没有用户委派时如何使用OAuth? -Microsoft Graph API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
