Microsoft Graph API令牌验证失败 [英] Microsoft Graph API token validation failure
问题描述
我会在我的Angular Web应用程序中使用Microsoft Graph API。
I would use Microsoft Graph API in my Angular Web application.
首先我使用 msal library
当我尝试使用我的profil登录时得到此错误
First I make connexion using msal library When I try log in with my profil I get this error
我已将我的应用配置为官方提及的 git sample
I have configured my app as the mentionned in the official git sample
MsalModule.forRoot({
clientID: "Tenant ID",
authority: "https://login.microsoftonline.com/common/",
redirectUri: "http://localhost:4200/",
validateAuthority : true,
popUp: true
}),
认证工作正常,我收到了令牌。
Authetification is working and I get the token.
然后当我在主页时,我做了一秒钟请求Microsoft Graph使用该令牌获取用户信息的API。
Then when I'm in home page I make a second request to Microsoft Graph API to get user information using that token.
getProfile() {
let header= new Headers();
let tokenid= sessionStorage.getItem('msal.idtoken');
header.set('Authorization', 'Bearer ' + tokenid)
let url ="https://graph.microsoft.com/v1.0/me/"
return this.http.get(url,{headers:header});
}
}
我收到401 Unauthorized错误并回复:
I get an 401 Unauthorized error with a response :
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "xxxxxx",
"date": "2018-10-09T22:58:41"
}
}
}
我不知道为什么MG API不接受我的令牌,我是否使用了错误的授权网址?
I don't know why MG API is not accepting my token, Am I using wrong authority url ?
UPDATE :我明白我实际上得到的id_token与访问令牌不同。如何从MSAL库获取Access令牌以进行MS GRAPH API调用?:
UPDATE: I have understood that actually I get id_token which is different from access token. How can I get Access token from MSAL library to make MS GRAPH API calls ?:
推荐答案
根据相同的样本您还可以附加一个 HttpInterceptor ,它会自动将访问令牌附加到每个(外部)HTTP电话。
According to the same sample you can also attach an HttpInterceptor that will automatically attach the access token to each (external) HTTP call.
通过阅读文档,我发现了以下信息。
By reading through the documentation I found the following information.
consentScopes:允许客户端表达应同意的范围。范围可以来自多个资源/端点。在此处传递范围只会同意它,并且在客户端实际调用API之前不会获取访问令牌。如果您仅使用MSAL登录(身份验证),则这是可选的。
consentScopes: Allows the client to express the desired scopes that should be consented. Scopes can be from multiple resources/endpoints. Passing scope here will only consent it and no access token will be acquired till the time client actually calls the API. This is optional if you are using MSAL for only login (Authentication).
这表明使用 HttpInterceptor 不仅会附加访问令牌,还会检索它。您看到的令牌可能只是您的应用程序的令牌,但不是Graph API的有效令牌。
That suggests that using the HttpInterceptor doesn't only attach the access token, but also retrieves it. The token that you're seeing is probably just a token for your application, but isn't a valid token for the Graph API.
在内部它使用 getCachedTokenInternal(scopes:Array< string>,user:User)获取特定范围的新访问令牌此处的代码。我不确定您是否也可以使用此方法获取该资源的新令牌。我只想使用拦截器。
Internally it uses getCachedTokenInternal(scopes: Array<string>, user: User) to get a new access token for specific scopes code found here. I'm not sure if you can use this method as well to get a new token for that resource. I would just use the interceptor.
您可以尝试复制访问令牌并查看它在 jwt.ms (Microsoft提供的JWT令牌查看器)或 jwt.io 。
You could try to copy the access token and see how it looks like on jwt.ms (a Microsoft provided JWT token viewer) or jwt.io.
对Graph有效的任何代币应具有受众 https://graph.microsoft.com ,所以如果你检查令牌(在jwt.ms中)它应该至少有这个值。
Any tokens valid for Graph should have the Audience of https://graph.microsoft.com, so if you inspect the token (in jwt.ms) it should at least have this value.
"aud": "https://graph.microsoft.com",
这篇关于Microsoft Graph API令牌验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
