权限不足,无法完成操作 [英] Insufficient privileges to complete the operation

查看:127
本文介绍了权限不足,无法完成操作的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想查询用户的组.根据 https://graph.microsoft.io/en-us/docs/platform /rest 我执行以下步骤:

I want to query user's groups. according to https://graph.microsoft.io/en-us/docs/platform/rest i do the following steps:

  1. 获取代码

  1. Get Code

https://login.microsoftonline.com/common/oauth2/authorize? response_type=id_token%20code& client_id=<MY_CLIENT_ID>& redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn response_mode=query& nonce=F8GtCajiXYKcGBtw& scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All%20Group.Read.All& resource=https%3A%2F%2Fgraph.microsoft.com%2F& state=HTlUWuV5su%2BG4zBE#

https://login.microsoftonline.com/common/oauth2/authorize? response_type=id_token%20code& client_id=<MY_CLIENT_ID>& redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn response_mode=query& nonce=F8GtCajiXYKcGBtw& scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All%20Group.Read.All& resource=https%3A%2F%2Fgraph.microsoft.com%2F& state=HTlUWuV5su%2BG4zBE#

注意:提供了3个范围(openid,Group.Read.All, https: //graph.microsoft.com/Group.Read.All )

Note: 3 scopes are provided (openid, Group.Read.All , https://graph.microsoft.com/Group.Read.All)

然后我登录,AAD对我的网站的回复:

and then i login in, AAD response to my web site:

http://localhost:3000/auth/openid/return?
code=<Recieved_Code>&
id_token=<Recieved_id_Token>&
state=xxxx&
session_state=yyy

  1. 获取access_token


    POST https://login.microsoftonline.com/common/oauth2/token
    Content-Type: application/x-www-form-urlencoded
    {
          grant_type=authorization_code
          &code=Recieved_Code_from_step_1
          &redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn
          &resource=https%3A%2F%2Fgraph.microsoft.com%2F
          &client\_id=
          &client\_secret=
    }

这将返回JSON

{
   "token_type":"Bearer",
   "scope":"User.Read",
   "resource":"https://graph.microsoft.com/",
   "access_token":<Access_token_in_here>,
   ... other fields
}

注意:仅返回User.Read范围

我使用第2步中的access_token进行查询

I use access_token from step 2) to do query

  • Query User is ok: https://graph.microsoft.com/v1.0/me/
  • Query Group is forbidden: https://graph.microsoft.com/v1.0/me/memberOf and get error 'Insufficient privileges to complete the operation.'

那么为什么我请求3个作用域的权限,而只获得1个作用域的权限?

So why I request permission for 3 scopes but only get permission for only one scope ?

推荐答案

您的请求正在使用v1端点.该端点不接受范围作为请求的一部分.使用v1,您需要在Azure Active Directory中存储的注册记录中预先配置所需的范围.

Your request is using the v1 endpoint. This endpoint does not accept scopes as part of the request. With v1 you'll need to pre-configure the scopes you require within the registration record stored in Azure Active Directory.

我建议切换到 v2 .这将允许您在代码中声明作用域,并大大简化注册过程.

I would recommend switching to v2. This would allow you declare the scopes within your code and greatly simplify the registration process.

这篇关于权限不足,无法完成操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆