带有访问令牌的未经授权的Microsoft Graph 401 [英] Microsoft Graph 401 Unauthorized with access token

问题描述

无法从Microsoft Graph API获取数据.

Unable to get data from the the Microsoft Graph API.

private String getUserNamesFromGraph() throws Exception {
      String bearerToken = "Bearer "+getAccessToken();
      String url = "https://graph.microsoft.com/v1.0/users";
      String returnData = null;

      try {
        URL apiURL = new URL(url);
        URLConnection con = apiURL.openConnection();
        con.setRequestProperty("Authorization", bearerToken);
        con.setRequestProperty("Content-Type", "application/json");

        BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
            String inputLine;
            StringBuffer response = new StringBuffer();

            while((inputLine = in.readLine()) != null) {
                response.append(inputLine);
            }
            in.close();

        returnData = response.toString();
        System.out.println(returnData);

      } catch(Exception e) {
        System.out.println(e);
      }

      return returnData;
  }

private String getAccessToken() throws Exception {
    String url = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
        URL obj = new URL(url);
        HttpsURLConnection con = (HttpsURLConnection) obj.openConnection();

        // header
        con.setRequestMethod("POST");
        con.setRequestProperty("User-Agent", "eTarget API");
        con.setRequestProperty("Accept-Language", "en-US,en;q=0.5");

        String urlParameters = "client_id=*** 
APPLICATION ID FROM APPLICATION REGISTRATION PORTAL ***&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=*** 
APPLICATION SECRET FROM APPLICATION REGISTRATION PORTAL ***&grant_type=client_credentials";
        // Send post request
        con.setDoOutput(true);
        DataOutputStream wr = new DataOutputStream(con.getOutputStream());
        wr.writeBytes(urlParameters);
        wr.flush();
        wr.close();

        int responseCode = con.getResponseCode();
        System.out.println("\nSending 'POST' request to URL : " + url);
        System.out.println("Post parameters : " + urlParameters);
        System.out.println("Response Code : " + responseCode);

        BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
        String inputLine;
        StringBuffer response = new StringBuffer();

        while ((inputLine = in.readLine()) != null) {
            response.append(inputLine);
        }
        in.close();

        //print result
    String returnData = response.toString();
        System.out.println(returnData);

    Map jsonTokenData = new Gson().fromJson(returnData, Map.class);
    String accessToken = (String)jsonTokenData.get("access_token");
    //System.out.println(accessToken);

    return accessToken;
    }

• 该应用程序已已注册
• 我有一个方法getAccessToken()成功返​​回了访问令牌
• 但是方法getUserNamesFromGraph()返回401未经授权，而不是预期的数据.
• The application is registered
• I have a method getAccessToken() that successfully returns an access token
• The method getUserNamesFromGraph() however returns a 401 Unauthorized instead of the expected data.

我无数次地浏览了文档，尝试了不同的变体和端点，但无济于事.任何想法表示赞赏.

I've gone through the documentation countless times, trying different variations and endpoints but to no avail. Any ideas appreciated.

推荐答案

为了使您的应用程序读取用户，它必须具有显式授予的User.Read.All application permission.此权限需要管理员的同意. 此处是一个链接，其中说明了如何授予该链接允许.您必须调用该交互式同意对话框才能为您的应用程序授予权限.否则，您仍然会收到权限不足错误.

In order your application to read the users it has to have an explicitly granted User.Read.All application permission. This permission requires admin consent. Here is one link where it is explained how to grant that permission. You must invoke that interactive consent dialog to grant your application the permissions. Otherwise you will still receive Insufficient permissions error.

然后此处是其他Microsoft的完整列表图形权限.在您的情况下-没有用户交互的守护程序应用程序，您必须查看应用程序权限，而不是**委托权限*.

Then here is the complete list of different Microsoft Graph permissions. In your case - a daemon application without user interaction, you have to look at the application permissions and not **delegated permissions*.

一旦授予适当的权限，便可以查询用户.您不必不必更改令牌请求中的范围.保留原样:https://graph.microsoft.com/.default

Once you grant appropriate permissions, you will be able to query the users. You do not have to change the scope in your token request. Leave it as it is: https://graph.microsoft.com/.default

完成所有这些更改后，您可以使用 https://jwt.ms 来检查您的访问令牌.在那里，您可以提取所有声明并检查您的受众和范围声明，以进一步了解您为什么从Microsoft Graph中获得401.

Once you make all these changes, you can use https://jwt.ms to check your access token. There you can extract all the claims and check your audience and scope claims to further understand why you get 401 from the Microsoft Graph.

这篇关于带有访问令牌的未经授权的Microsoft Graph 401的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！