第一次在 Microsoft Graph API 请求中出现 Authorization_IdentityNotFound， [英] Authorization_IdentityNotFound on Microsoft Graph API request first time,

问题描述

现在是 2021 年，但我又遇到了这个问题......

It is now 2021, but I meet this issue again....

当调用 /users MS Graph API 时，它说:

When calling the /users MS Graph API, it says:

{
    "error": {
        "code": "Authorization_IdentityNotFound",
        "message": "The identity of the calling application could not be established.",
        "innerError": {
            "request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
            "date": "2021-01-22T10:19:48"
        }
    }
}

我使用客户端凭据"流程，并且已经配置为获得管理员同意以获取租户 ID.然后用它调用 https://login.microsoftonline.com/{tenantId}/oauth2/token 获取令牌.

I use the 'client credentials' flow, and I've already configured to get the admin consent to get the tenant id. Then use it to call https://login.microsoftonline.com/{tenantId}/oauth2/token to get token.

我将权限/范围配置为:

And I configured the permissions/scopes as:

- Directory.Read.All
- User.Read.All
- Calendars.ReadWrite

甚至:

- Directory.Read.All
- Calendars.ReadWrite

奇怪的是，此错误仅发生在首次使用全局管理员帐户授权应用程序获得的令牌时.如果使用第二个令牌在几秒钟后返回，它将起作用.通过比较这两个令牌，我发现不同之处在于不工作的令牌在 JWT 中没有 'roles: string[]` 值，而工作的令牌有(见附图).

The strange thing is that this error only happens with the token got by authorizing the app with a global admin account first time. It will work if use a second token gets back after a few seconds. And by comparing the two tokens, I found the differences are the not working one doesn't have 'roles: string[]` value in the JWT, while the working one has (see attached images).

令牌无效令牌工作

谁能帮帮我?非常感谢！

Anyone can help me out? It's very appreciated!

谢谢

推荐答案

错误的原因不是你没有权限，而是延迟造成的.

The reason for the error is not that you lack permissions, it is caused by the delay.

你的想法是对的.第一次令牌调用不成功的原因是令牌中缺少 roles 声明，这意味着权限没有注入到第一个令牌中.当您向应用授予管理员同意时，它会被延迟.如果您现在获取令牌，则可能会导致令牌缺少权限.因此，请在您授予管理员同意后等待几分钟，然后再尝试获取令牌.

Your idea is correct. The reason why your first token call is unsuccessful is the lack of roles claim in the token, which means that the permissions are not injected into the first token. When you grant admin consent to the application, it will be delayed. If you get the token right now, it may cause the token to lack permissions. So, please wait a few minutes after you grant the admin consent before trying to obtain the token.

这篇关于第一次在 Microsoft Graph API 请求中出现 Authorization_IdentityNotFound，的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！