对 MS Graph API 的请求给了我“授权请求被拒绝 - 没有足够的权限来完成操作"； [英] Requests to MS Graph API gives me "Authorization Request Denied - Insufficient privileges to complete the operation"

查看：32 发布时间：2022/1/7 10:26:51 ios node.js azure active-directory azure-mobile-services

本文介绍了对 MS Graph API 的请求给了我“授权请求被拒绝 - 没有足够的权限来完成操作"；的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有一个关于授权请求被拒绝 - 没有足够的权限来完成操作"消息的问题，我不断从我对 Windows Graph API 的请求中返回.

具体来说，我在 Azure 云中工作.我有一个调用 API 的 iOS 移动应用程序.我在我的门户中打开了Active Directory 身份验证".

然后，在客户端(iOS):

[self.todoService.client loginWithProvider:@"windowsazureactivedirectory"控制器:自己动画:是完成:^(MSUser *user，NSError *error){if(!error && 用户) {【自我刷新】；}}];//登录提供者

因此返回一个有效的 MSUser 对象.我看到 web 登录控制器出现，我用我的 un/pw 登录，然后它让我访问我的 Easy Table 的数据......等.

现在，我想调用我在 Azure 中创建的名为 getUserData 的 Easy API.因此，我只需插入这样的 invokeAPI 代码(iOS):

[self.todoService.client loginWithProvider:@"windowsazureactivedirectory"控制器:自己动画:是完成:^(MSUser *user，NSError *error){if(!error && 用户) {//NSMutableDictionary * dict = [NSMutableDictionary 字典];//[dict setObject:@YES forKey:@"complete"];NSLog(@"%s - %@", __FUNCTION__, 用户);【自我刷新】；[self.todoService.client invokeAPI:@"getUserData"身体:无HTTPMethod:@"POST"参数:无标题:无完成:^(id _Nullable 结果，NSHTTPURLResponse * _Nullable 响应，NSError * _Nullable 错误){NSLog(@"%s - API 返回响应！", __FUNCTION__);NSLog(@"%@", 结果);//TODO: 用户信息在这里！！:D}];//调用API}//如果从AAD登录返回的用户有效}];//登录提供者

调用 API 后一切正常，我可以看到响应数据.

在服务器端(Node JS)，我基本上做了三件事:

第一个是从请求对象中获取用户对象id:

req.azureMobile.user.getIdentity().then((data) => {//获取用户对象ID}

第二，向

我不断收到授权请求被拒绝，权限不足"消息.错误为空，所以我知道其他一切都正确地进行了.

我不知道为什么，因为一切都通过了，我检查了我所有的 AAD 和 Graph 权限.

日志结果:

-----正文------

'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"权限不足，无法完成操作."}}}'

感谢您的帮助，感谢大家的时间

解决方案

您可以尝试将您使用的 AD 应用程序的角色升级为管理员权限.在 PowerShell 中运行以下命令:

Connect-MsolService$ClientIdWebApp = '{your_AD_application_client_id}'$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp#使用 Add-MsolRoleMember 将其添加到公司管理员"角色).添加-MsolRoleMember -RoleName "公司管理员" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

I have a question about "Authorization Request Denied - Insufficient privileges to complete the operation" message that I keep getting back from my requests to Windows Graph API.

Specifically, I'm working in Azure cloud. I have an iOS mobile app that invokes an API. I have turned on "Authentication for Active Directory" in my Portal.

Then, on the client side (iOS):
[self.todoService.client loginWithProvider:@"windowsazureactivedirectory" controller:self animated:YES completion:^(MSUser *user, NSError *error) { if(!error && user) { [self refresh]; } }]; //loginWithProvider
So returns a valid MSUser object. I see the web login controller appear, I sign in with my un/pw, and then it lets me access my Easy Table's data...etc.

Now, I want to invoke an Easy API that I've created in Azure called getUserData. Hence, I simply insert the invokeAPI code like this (iOS):
[self.todoService.client loginWithProvider:@"windowsazureactivedirectory" controller:self animated:YES completion:^(MSUser *user, NSError *error) { if(!error && user) { //NSMutableDictionary * dict = [NSMutableDictionary dictionary]; //[dict setObject:@YES forKey:@"complete"]; NSLog(@"%s - %@", __FUNCTION__, user); [self refresh]; [self.todoService.client invokeAPI:@"getUserData" body:nil HTTPMethod:@"POST" parameters:nil headers:nil completion:^(id _Nullable result, NSHTTPURLResponse * _Nullable response, NSError * _Nullable error) { NSLog(@"%s - API returned response! ", __FUNCTION__); NSLog(@"%@", result); //TODO: user info here!! :D }]; //invokAPI } //if user returned from AAD login is valid }]; //loginWithProvider
Everything is fine as the API is called and I can see the response data.

On the server side (Node JS), I basically do 3 things:

1st is to get the user object id from the request object:
req.azureMobile.user.getIdentity().then((data) => { //get user object ID }
2nd, make a request to https://login.windows.net to get an Access Token with a username/password.
var options = { url: "https://login.windows.net/" + tenant_domain + "/oauth2/token?api-version=1.0", method: 'POST', form: { grant_type: "client_credentials", resource: "https://graph.windows.net", client_id: clientID, client_secret: key } }; req(options, function (err, resp, body) { //get the result back }
I get a whole bunch of data back including the Access Token.

3rd, make a request to https://graph.windows.net/, and provide this Access Token along with my User Object ID:
var options = { url: "https://graph.windows.net/" + tenant_domain + "/users/" + objectId + "?api-version=1.0", method: 'GET', headers: { "Authorization": "Bearer " + access_token } };
This is so that I can User data. Now, in a separate test Subscription, I set up all the basic read permissions for AAD and Graph in my AAD management. I successfully get the user's full data back like so:
user = { accountEnabled = 1; assignedLicenses = ( ); assignedPlans = ( ); city = xxxxxxxxx; country = xxxxxxxxxx; department = Dev; dirSyncEnabled = "<null>"; displayName = xxxxxx; facsimileTelephoneNumber = "<null>"; givenName = hehe; jobTitle = "iOS dev"; lastDirSyncTime = "<null>"; mail = "<null>"; mailNickname = "xxxxxxxxxx.com#EXT#"; mobile = "+xx xxx xxxx 3852"; objectId = "xxxxxxx-2c70-4aab-b261-3b2b97dc5c50"; objectType = User; "odata.metadata" = "https://graph.windows.net/xxxxxxxxxx.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element"; "odata.type" = "Microsoft.WindowsAzure.ActiveDirectory.User"; otherMails = ( "xxxxxxxxxxxx@gmail.com" ); ...etc }
However, in another subscription, I did the exact same steps. Even going as far as checking all the permissions like so:

I keep getting an "Authorization Request Denied, Insufficient privileges" message. The error is null so I know everything else went through correctly.

I can't figure out why because everything processes through and I checked all of my AAD and Graph permissions.

log result:

-----body------

'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}'

Thanks for any help, and appreciate everyone's time
解决方案
You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:
Connect-MsolService $ClientIdWebApp = '{your_AD_application_client_id}' $webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp #use Add-MsolRoleMember to add it to "Company Administrator" role). Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

这篇关于对 MS Graph API 的请求给了我“授权请求被拒绝 - 没有足够的权限来完成操作"；的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

对 MS Graph API 的请求给了我“授权请求被拒绝 - 没有足够的权限来完成操作"； [英] Requests to MS Graph API gives me "Authorization Request Denied - Insufficient privileges to complete the operation"

问题描述

'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"权限不足，无法完成操作."}}}'

'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}'

相关文章

移动开发最新文章

热门教程

热门工具

登录关闭

对 MS Graph API 的请求给了我“授权请求被拒绝 - 没有足够的权限来完成操作"； [英] Requests to MS Graph API gives me &quot;Authorization Request Denied - Insufficient privileges to complete the operation&quot;

问题描述

'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"权限不足，无法完成操作."}}}'

'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}'

相关文章

移动开发最新文章

热门教程

热门工具

登录 关闭

对 MS Graph API 的请求给了我“授权请求被拒绝 - 没有足够的权限来完成操作"； [英] Requests to MS Graph API gives me "Authorization Request Denied - Insufficient privileges to complete the operation"

登录关闭