Microsoft Graph API-v1.0/me/event禁止使用403 [英] Microsoft Graph API - 403 Forbidden for v1.0/me/events

问题描述

我正在建立一个页面，其中包含对Microsoft Graph的无数次调用，它们分别指向不同的端点:获取OneDrive文件，电子邮件，用户属性等.

I'm building a page with numerous calls to Microsoft Graph to different end points: to get OneDrive files, emails, user properties, etc.

一个无效的调用是获取当前用户的日历事件.我正在使用的终点是https://graph.microsoft.com/v1.0/me/events.响应是403 Forbidden.

The one call that does not work is to get the current user's calendar events. The end point I'm using is https://graph.microsoft.com/v1.0/me/events. The response is 403 Forbidden.

根据Microsoft文档此处应用程序需要Calendars.Read或Calendars.ReadWrite权限.我在已授权权限下检查了这两个选项，但仍然是相同的问题.然后，我在此应用程序的Azure AD中选中了所有51个权限范围，并且仍然是相同的问题.

According to the Microsoft documentation here the application needs Calendars.Read or Calendars.ReadWrite permissions. I checked both of these under delegated permissions and still the same problem. I then ticked all 51 permission scopes in Azure AD for this app, and still the same problem.

我还尝试在Azure AD中创建一个新应用，但这无济于事.

I also tried creating a new app in Azure AD, but this did not help.

如何使用Microsoft Graph来获取当前用户的日历事件?我想念什么?

How can I use Microsoft Graph to get back the current user's calendar events? What am I missing?

我正在使用ADAL.js进行身份验证.这是我自己的doAuth函数中包含的代码，其中包含应用程序的客户端ID.

I'm using ADAL.js for authentication. This is the code I have in my own doAuth function that takes in the client ID of the application.

function doAuth(clientId) {
    var variables = {
        // Domain of Azure AD tenant
        azureAD: // the appropriate URL,
        // ClientId of Azure AD application principal
        clientId: clientId,
        // Name of SharePoint tenant
        sharePointTenant: // the appropriate URL
    }

    // Create config and get AuthenticationContext
    window.config = {
        tenant: variables.azureAD,
        clientId: variables.clientId,
        postLogoutRedirectUri: window.location.origin,
        endpoints: {
            graphApiUri: "https://graph.microsoft.com",
            sharePointUri: "https://" + variables.sharePointTenant + ".sharepoint.com",
        },
        cacheLocation: "localStorage"
    }

    var authContext = new AuthenticationContext(config);
    var isCallback = authContext.isCallback(window.location.hash);
    authContext.handleWindowCallback();

    if (isCallback && !authContext.getLoginError()) {

        window.location = authContext._getItem(authContext.CONSTANTS.STORAGE.LOGIN_REQUEST);
    }

    var user = authContext.getCachedUser();
    var token = authContext.getCachedToken(clientId);

    if (!user || !token)
        authContext.login();

    return authContext
}

推荐答案

听起来好像您已经更改了分配给应用程序的作用域.发生这种情况时，您还需要使用这些新作用域对用户进行重新授权.为此，将&prompt=consent添加到初始ODATA重定向的查询字符串中.这将迫使您将新范围显示给用户进行授权.

It sounds like you've changed the scopes assigned to the application. When this happens you also need to have user's reauthorize using those new scopes. To do this, add &prompt=consent to the query string of your initial ODATA redirect. This will force your new scopes to be presented to the user for authorization.

您可以使用配置中的extraQueryParameter参数在ADAL.js库中触发此操作:

You can trigger this in the ADAL.js library using the extraQueryParameter parameter in your configuration:

// Create config and get AuthenticationContext
window.config = {
    tenant: variables.azureAD,
    clientId: variables.clientId,
    postLogoutRedirectUri: window.location.origin,
    endpoints: {
        graphApiUri: "https://graph.microsoft.com",
        sharePointUri: "https://" + variables.sharePointTenant + ".sharepoint.com",
    },
    cacheLocation: "localStorage",
    extraQueryParameter: "prompt=consent"
}

这篇关于Microsoft Graph API-v1.0/me/event禁止使用403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！