OneDrive/SharePoint OAuth无效的受众群体错误 [英] OneDrive/SharePoint OAuth invalid audience error

问题描述

我的目标是编写一些代码，以使Office 365用户能够通过REST API访问OneDrive for Business中的文件.我已经在Azure AD(Web应用程序/多租户)中注册了一个应用程序，并添加了访问SharePoint Online的权限.我想使用使用OAuth委派用户身份"方案，在该方案中，我的应用使用用户模拟通过REST API访问OneDrive for Business.

My goal is to write some code to enable an Office 365 user to access files in OneDrive for Business via REST API. I have registered an application in Azure AD (Web App/multi tenant) and added permissions to access SharePoint online. I want to use the "delegated user identity with OAuth" scenario where my app accesses OneDrive for Business via REST APIs using user impersonation.

应用清单中的权限如下:

The permissions in the app's manifest like this:

"oauth2Permissions":[ { "adminConsentDescription":允许应用程序代表登录用户访问AppName."， "adminConsentDisplayName":"AppName"， "id":"xxx"， "isEnabled":是， "origin":应用程序"， "type":用户"， "userConsentDescription":允许应用程序代表您访问AppName."， "userConsentDisplayName":"AppName"， "value":"user_impersonation" }

"oauth2Permissions": [ { "adminConsentDescription": "Allow the application to access AppName on behalf of the signed-in user.", "adminConsentDisplayName": "AppName", "id": "xxx", "isEnabled": true, "origin": "Application", "type": "User", "userConsentDescription": "Allow the application to access AppName on your behalf.", "userConsentDisplayName": "AppName", "value": "user_impersonation" }

该应用程序请求(OneDrive for Business)用户登录Office365以获取授权码(发送到已注册的重定向URL)，并使用它来检索访问令牌(通过POST到我应用程序的令牌端点).返回的JWT中的"aud"字段设置为我的客户端ID.对于SharePoint Online，应该使用类似于"00000003-0000-0ff1-ce00-000000000000"的内容吗?

The app requests the (OneDrive For Business) user to log into Office365 to get an authorization code (sent to the registered redirect URL) and use it to retrieve an access token (via a POST to my app's token endpoint). The "aud" field in the returned JWT is set to my client ID. Should it be something like "00000003-0000-0ff1-ce00-000000000000" instead for SharePoint Online ?

当我尝试使用访问令牌作为请求标头中的载体在https://{tenant} -my.sharepoint.com/_api/v1.0/me/上发出GET时，会收到一个错误401:错误:无效的客户端"，错误:无效的受众群体URI:https://{tenant} -my.sharepoint.com/".这指向某处的配置错误，但我无法确定需要更改的地方.

When I try to issue a GET at https://{tenant}-my.sharepoint.com/_api/v1.0/me/ using the access token as a bearer in the header of the request, I get an error 401: "error: invalid client", "error: invalid audience URI:https://{tenant}-my.sharepoint.com/". This points to a configuration error somewhere but I cannot figure out what needs to change.

推荐答案

aud =令牌的受众.当令牌发布给客户端应用程序时，访问者是客户端的client_id.您可能想尝试使用Discovery Service API来检查服务端点(

aud = Audience of the token. When the token is issued to a client application, the audience is the client_id of the client. You might want to try using the Discovery Service API to check your service endpoints (https://msdn.microsoft.com/en-us/office/office365/howto/discover-service-endpoints) . There error shows that the audience URI is invalid so the service might not be running on the URL that you are making the call to (i.e. https://{tenant}-my.sharepoint.com/_api/v1.0/me/). Following the link above should help you isolate the problem. I hope that helps.

这篇关于OneDrive/SharePoint OAuth无效的受众群体错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！