Microsoft Graph API:"403 forbidden"进行群组对话时出现错误 [英] Microsoft Graph API : "403 forbidden" error when getting groups conversations

问题描述

在 Node.js 脚本中，使用 adal-node ，我正在尝试按照此官方文档的部分进行小组对话.

In a Node.js script using adal-node, I'm trying to retrieve a group conversations following parts of this official documentation.

我已经在 Azure AD管理中为我的租户创建了一个应用程序，并临时检查了 Graph API 的所有权限(应排除缺少权限"问题)，然后点击"授予权限"按钮.

I've created an application in Azure AD administration for my tenant, and temporarily checked all permissions for Graph API (should exclude a "missing permission" problem), then clicked on the "Grant permissions" button.

我正在使用证书进行身份验证.

I'm using a certificate for authentication.

基本上我在做

var adal = require('adal-node');
var authorityUrl = 'https://login.windows.net/{my-tenant}';
var context = new adal.AuthenticationContext(authorityUrl);
context.acquireTokenWithClientCertificate(
    'https://graph.microsoft.com',
    '{my-app/client-ID}',
    '{certificate file content}',
    '{certificate thumbprint}',
    function(err, tokenResponse) {
        // this method does an HTTPS call with autorization token & returns results (uses 'https.request()')
        callRestApi(
            'graph.microsoft.com', // host
            443, // port
            '/v1.0/groups/{group-ID}/threads', // path
            'GET', // method
            tokenResponse.accessToken, // token
            function(err, results) {
                console.log(err);
                console.log(results);
            });
    });

例如，当我使用/v1.0/groups/{group-ID}/description作为路径时，它会按预期工作.

When I'm using, for example, /v1.0/groups/{group-ID}/description as path, it works as expected.

但是，对于/v1.0/groups/{group-ID}/conversations或/v1.0/groups/{group-ID}/threads，我总是会收到 HTTP 403/禁止错误(response.headers中没有任何更多详细信息).

However, with /v1.0/groups/{group-ID}/conversations or /v1.0/groups/{group-ID}/threads, I always get an HTTP 403 / Forbidden error (without any further detail in response.headers).

请注意，当我尝试从在线图表进行完全相同的调用时使用我的租户管理员帐户的API Explorer ，它可以按预期运行.

Note that when I try to do the same exact call from the online Graph API Explorer with my tenant admin account, it works as expected.

推荐答案

AFAIK，如@Marek Rycharski在线程中所说，仅应用程序授权流程中不支持组对话访问.

AFAIK ,as @Marek Rycharski said in the thread , group conversation access is not supported in app-only authorization flow.

在我的测试中，我使用客户端凭据流来获取Microsoft图形的仅应用程序令牌，不同之处在于我的客户端凭据是密码，访问令牌在执行/v1.0/groups/{group-ID}/conversations操作时包括Group.ReadWrite.All应用程序权限，响应显示403禁止错误.但是，使用授权代码流获取具有委托权限的访问令牌，列表对话操作可以正常工作.

In my testing , i used client credential flow to acquire app-only token for microsoft graph, the difference is my client credential is a password , and the access token includes Group.ReadWrite.All application permission, when performing /v1.0/groups/{group-ID}/conversations operation , the response shows 403 Forbidden error . But using authorization code flow to acquire access token with delegate permission , the list conversations operation works fine .

这篇关于Microsoft Graph API:"403 forbidden"进行群组对话时出现错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！