权限不足,无法完成操作 [英] Insufficient privileges to complete the operation
问题描述
我想查询用户的组.根据 https://graph.microsoft.io/en-us/docs/platform /rest 我执行以下步骤:
I want to query user's groups. according to https://graph.microsoft.io/en-us/docs/platform/rest i do the following steps:
-
获取代码
Get Code
https://login.microsoftonline.com/common/oauth2/authorize?
response_type=id_token%20code&
client_id=<MY_CLIENT_ID>&
redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn
response_mode=query&
nonce=F8GtCajiXYKcGBtw&
scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All%20Group.Read.All&
resource=https%3A%2F%2Fgraph.microsoft.com%2F&
state=HTlUWuV5su%2BG4zBE#
https://login.microsoftonline.com/common/oauth2/authorize?
response_type=id_token%20code&
client_id=<MY_CLIENT_ID>&
redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn
response_mode=query&
nonce=F8GtCajiXYKcGBtw&
scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All%20Group.Read.All&
resource=https%3A%2F%2Fgraph.microsoft.com%2F&
state=HTlUWuV5su%2BG4zBE#
注意:提供了3个范围(openid,Group.Read.All, https: //graph.microsoft.com/Group.Read.All )
Note: 3 scopes are provided (openid, Group.Read.All , https://graph.microsoft.com/Group.Read.All)
然后我登录,AAD对我的网站的回复:
and then i login in, AAD response to my web site:
http://localhost:3000/auth/openid/return?
code=<Recieved_Code>&
id_token=<Recieved_id_Token>&
state=xxxx&
session_state=yyy
- 获取access_token
POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded
{
grant_type=authorization_code
&code=Recieved_Code_from_step_1
&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn
&resource=https%3A%2F%2Fgraph.microsoft.com%2F
&client\_id=
&client\_secret=
}
这将返回JSON
{
"token_type":"Bearer",
"scope":"User.Read",
"resource":"https://graph.microsoft.com/",
"access_token":<Access_token_in_here>,
... other fields
}
注意:仅返回User.Read范围
我使用第2步中的access_token进行查询
I use access_token from step 2) to do query
- 查询用户正常: https://graph.microsoft.com/v1.0/我/
- 禁止查询组: https://graph.microsoft.com/v1.0 /me/memberOf 并显示错误权限不足,无法完成操作."
- Query User is ok: https://graph.microsoft.com/v1.0/me/
- Query Group is forbidden: https://graph.microsoft.com/v1.0/me/memberOf and get error 'Insufficient privileges to complete the operation.'
那么为什么我请求3个作用域的权限,而只获得1个作用域的权限?
So why I request permission for 3 scopes but only get permission for only one scope ?
推荐答案
您的请求正在使用v1端点.该端点不接受范围作为请求的一部分.使用v1,您需要在Azure Active Directory中存储的注册记录中预先配置所需的范围.
Your request is using the v1 endpoint. This endpoint does not accept scopes as part of the request. With v1 you'll need to pre-configure the scopes you require within the registration record stored in Azure Active Directory.
我建议切换到 v2 .这将允许您在代码中声明作用域,并大大简化注册过程.
I would recommend switching to v2. This would allow you declare the scopes within your code and greatly simplify the registration process.
这篇关于权限不足,无法完成操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!