MS Graph,守护程序app 401在Files.ReadWrite.All上未经授权 [英] MS Graph, daemon app 401 unauthorized on Files.ReadWrite.All calls
问题描述
更新:我已经收到Microsoft的通知,该问题是Graph API中的错误.他们正在研究解决方案.
UPDATE: I've received notice from Microsoft that this problem is a bug in the Graph API. They're working on a solution.
我正在使用新的v2.0 OAuth流程对我的应用进行身份验证以与Microsoft Graph一起使用,以使其能够列出任何用户文件,在任何用户OneDrive中下载和上传文件以及设置文件权限.这无需用户登录即可将其作为服务帐户/守护程序运行.
I'm using the new v2.0 OAuth flow to authenticate my app for use with Microsoft Graph to make it able to list any users files, download and upload files in any users OneDrive and set permissions to files. This without the user being logged in, that is running it as a service account/daemon.
我已经在新的应用程序注册"门户中设置了新的融合应用程序".我已经设置了所有必需的作用域/应用程序权限,包括Files.ReadWrite.All. (我实际上选中了所有可能的框...).在Microsoft Graph文档中,当调用我感兴趣的端点时,这应该是唯一必要的范围:
I've set up a new "Converged application" in the new Application Registration Portal. I've set all necessary scopes/application permission, including Files.ReadWrite.All. (I actually checked all possible boxes...). In the Microsoft Graph docs this should be the only scope necessary when calling the endpoints I'm interested in:
/v1.0/users/{userID}/drive
/v1.0/users/{userID}/drive/items/{ItemID}/children
/v1.0/users/{userID}/drive/items/{ItemID}/content
/v1.0/users/{userID}/drive/items/{ItemID}/invite
/v1.0/users/{userID}/drive/items/{ItemID}/createLink
然后,我遵循了客户端凭据流程,包括向应用提供管理同意书,以供我的公司租户使用.
Then I've followed the documentation for the Client Credentials flow, including giving Admin Consent to the app for use in my company tenant.
我已成功接收访问令牌.收到访问令牌后,我在 jwt.io 中仔细检查了该令牌实际上包含所有范围(包括
I'm successfully receiving an access token. After receiving the access token I've double checked at jwt.io that the token actually contains all scopes (incl. Files.ReadWrite.All).
我可以使用此访问令牌来获取任何用户的驱动器并列出任何用户文件(上面列出的前两个端点).我也尝试过获取所有用户文件的缩略图,这些缩略图效果很好.但是,一旦我尝试下载文件,为文件添加权限或创建共享链接(上面列出的最后三个端点),我就会收到一个401 Unauthorized错误.据此,我认为范围Files.Read.All可以正常工作,但是范围Files.ReadWrite.All无法正常工作.
I'm able to use this access token to get any user's drive and list any users files (the first two endpoints listed above). I've also tried to get thumbnails of any users files which works fine. But as soon as I try to download a file, add permissions to a file or create a Sharing Link (the last three endpoints listed above), I receive an 401 Unauthorized error. From this, I assume the scope Files.Read.All works fine, but the scope Files.ReadWrite.All is not working.
关于我从合并范围文档可以理解的内容,我尝试使用的范围应该工作.它在需要管理员同意的仅应用程序权限"部分,将Files.ReadWrite.All描述为:
As to what I can understand from the Scopes documentation, the scopes I'm trying to use should work. It the "App-only permissions requiring administrator's consent" section, it describes Files.ReadWrite.All as:
允许该应用在没有登录用户的情况下读取,创建,更新和删除所有网站集中的所有文件.
Allows the app to read, create, update and delete all files in all site collections without a signed in user.
我碰壁了.新的v2.0 OAuth令牌和/或Microsoft Graph是否存在关于我缺少的仅应用程序访问的限制?
推荐答案
为那些偶然发现此问题的人关闭循环.在仅应用"场景中,
Closing the loop for those who stumble on this question. There was an issue with Files.ReadWrite.All in App-Only scenarios when it came to uploading or changing permissions of a file.
与下载有关的问题无关.下载文件时出现授权错误是由于在下载请求中传递了Authorization标头. /content/端点返回一个可用于下载文件的URL.这是一个预授权 URL,存在时间很短.在该请求中传递Authorization标头会导致错误,因为它不希望接收到这样的标头,也无法确定应使用的凭据(超级过分简化,但这是一般思路).
The issue with downloading is unrelated. Authorization errors when downloading a file stem from passing an Authorization header in the download request. The `/content/ endpoint returns a URL that can be used to download the file. This is a pre-authorized URL that exists for a short period of time. Passing an Authorization header in that request results in an error since it doesn't expect to receive such a header, nor can it determine which credentials it should use (super-oversimplification but this the general idea).
这篇关于MS Graph,守护程序app 401在Files.ReadWrite.All上未经授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
