Microsoft Graph API - 删除应用程序权限的新委派权限 [英] Microsoft Graph API - new delegated permission removing application permissions
问题描述
我正在为需要 admin_consent
的多租户应用程序使用 v1 Azure AD 身份验证 URL (/common/oauth2/authorize
).
I'm using the v1 Azure AD auth URLs (/common/oauth2/authorize
) for a multi-tenant app that requires admin_consent
.
我已尝试添加新范围 Directory.AccessAsUser.All
.当我的所有其他范围都是应用程序"级别权限时,这是我请求的第一个委托"权限.
I've attempted to add a new scope Directory.AccessAsUser.All
. It is the first 'delegated' permission I'm requesting when all my other scopes are 'application' level permissions.
当我添加新的委托范围并提示管理员重新同意时,其他范围从返回的 AccessToken
和响应 scope
参数中消失了.access_token
scp
字段中仅存在 Directory.AccessAsUser.All
.
When I added that new delegated scope and prompted the admin to re-consent, the other scopes disappeared from the returned AccessToken
and the responses scope
parameter. Only Directory.AccessAsUser.All
is present in the access_token
scp
field.
是否有任何原因会发生这种行为?我很肯定我们正在为 admin_consent
进行宣传,并且管理员是同意的.
Is there any reason this behavior would occur? I'm positive that we are promoting for admin_consent
and that an admin is the one consenting.
推荐答案
scp
中指定的范围将取决于您用于获取令牌的 OAUTH 流.您不能有一个具有委托 和 应用程序范围的单个 access_token
.
The scopes specified in the scp
will depend on which OAUTH flow you used to obtain the token. You cannot have a single access_token
with both Delegated and Application scopes.
在使用客户端凭据流 (
client_credentials
) 时应用应用程序范围.
Application scopes are applied when using the Client Credentials flow (
client_credentials
).
在使用授权代码或隐式流(authorization_code
或 implicit
)时应用委托范围.
Delegated scopes are applied when using either Authorization Code or Implicit flows (authorization_code
or implicit
).
更新:我写了一篇关于这个主题的更深入的帖子,可能会帮助面临类似问题的人们:应用程序与委托范围.
Update: I've written a more in-depth post about this topic that might help folks facing similar issues: Application vs Delegated Scopes.
这篇关于Microsoft Graph API - 删除应用程序权限的新委派权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!