权限不足,无法在 Graph API 中列出群组成员 [英] Insufficient privileges to list group members in Graph API
问题描述
我正在构建一个由 SPA(角度)调用的 API.用户使用 Azure AD 进行身份验证,API 使用 AzureAdBearer 进行身份验证.
我需要后端代表用户调用图形 API 来列出 AD 组的成员.
我使用了一个 IAuthenticationProvider
来处理使用此代码的身份验证:
var app = ConfidentialClientApplicationBuilder.Create("{my client id}").WithAuthority("https://login.microsoftonline.com/{我的租户ID}").WithClientSecret({我的后端秘密}).WithLogging(Log, Microsoft.Identity.Client.LogLevel.Info, true).建造();var token = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");var userAssertion = new UserAssertion(token);var result = await app.AcquireTokenOnBehalfOf(new[] { "https://graph.microsoft.com/.default" }, userAssertion).ExecuteAsync();request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
结果是成功的,当我使用 jwt.ms 检查我的令牌时,一切似乎都是正确的,这里是它的摘录:
"aud": "https://graph.microsoft.com","iss": "https://sts.windows.net/{我的租户 ID}/",[...]"app_displayname": "我的应用程序","appid": "{我的客户 ID}",[...]"scp": "User.ReadBasic.All profile openid email",[...]
但是在使用 GraphApiClient 的这个调用中:
var client = new GraphServiceClient(authProvider);var users = await client.Groups["group guid"].Members.Request().GetAsync();
我收到此错误:
代码:Authorization_RequestDenied消息:权限不足,无法完成操作.
这个调用 var users = await client.Groups["group guid"].Members.Request().GetAsync();
需要一个 组权限(即Group.Read.All
).
您只有 用户权限(即User.ReadBasic.All
).
I'm building an API which is called by a SPA (angular). The user is authenticated using Azure AD and the API uses AzureAdBearer for its authentication.
I need the backend to call graph api on behalf of the user to list members of an AD Group.
According to this documentation, I need one of these permissions:
User.ReadBasic.All, User.Read.All, Group.Read.All, Directory.Read.All
So I have added User.ReadBasic.All to my api permissions list in the app registration of my backend.
I used an IAuthenticationProvider
to handle the authentication using this code:
var app = ConfidentialClientApplicationBuilder.Create("{my client id}")
.WithAuthority("https://login.microsoftonline.com/{my tenant id}")
.WithClientSecret({my backend secret})
.WithLogging(Log, Microsoft.Identity.Client.LogLevel.Info, true)
.Build();
var token = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");
var userAssertion = new UserAssertion(token);
var result = await app.AcquireTokenOnBehalfOf(new[] { "https://graph.microsoft.com/.default" }, userAssertion)
.ExecuteAsync();
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
The result is successful, when I check my token using jwt.ms everything seems correct, here is an extract of it:
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{my tenant id}/",
[...]
"app_displayname": "My app",
"appid": "{my client id}",
[...]
"scp": "User.ReadBasic.All profile openid email",
[...]
However on this call using the GraphApiClient:
var client = new GraphServiceClient(authProvider);
var users = await client.Groups["group guid"].Members.Request().GetAsync();
I get this error:
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
This call var users = await client.Groups["group guid"].Members.Request().GetAsync();
requires a group permission (i.e.Group.Read.All
).
You only have user permissions right now (i.e.User.ReadBasic.All
).
这篇关于权限不足,无法在 Graph API 中列出群组成员的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!