对MS Graph API的请求使我“授权请求被拒绝-权限不足,无法完成操作”。 [英] Requests to MS Graph API gives me "Authorization Request Denied - Insufficient privileges to complete the operation"
问题描述
我有一个关于授权请求被拒绝-权限不足,无法完成操作的问题,我不断从请求返回Windows Graph API。
具体来说,我正在Azure云中工作。我有一个调用API的iOS移动应用程序。
我已经在门户中打开 Active Directory身份验证。
然后,在客户端(iOS):
[self.todoService.client loginWithProvider:@ windowsazureactivedirectory
控制器:self
动画:是
完成:^ (MSUser * user,NSError * error){
if(!error&&user){
[自我刷新];
}
}]; // loginWithProvider
因此返回有效的MSUser对象。我看到出现了Web登录控制器,我用un / pw登录,然后它允许我访问Easy Table的数据...等等。
现在,我想调用我在Azure中创建的名为 getUserData 的Easy API。因此,我只需要像这样(iOS)插入invokeAPI代码:
[self.todoService.client loginWithProvider:@ windowsazureactivedirectory
控制器:自我
动画:是
完成:^(MSUser * user,NSError * error){
if(!error&& user){
// NSMutableDictionary * dict = [NSMutableDictionary字典];
/// [dict setObject:@YES forKey:@ complete];
NSLog(@%s-%@,__ FUNCTION__,用户);
[自我刷新];
[self.todoService.client invokeAPI:@ getUserData
正文:无
HTTPMethod:@ POST
参数:无
标头: nil
完成:^(id _Nullable结果,NSHTTPURLResponse * _Nullable响应,NSError * _Nullable错误){
NSLog(@%s-API返回的响应!,__ FUNCTION__);
NSLog(@%@,结果); // TODO:这里的用户信息!! :D
}]; // // invokAPI
} //如果从AAD登录返回的用户有效
}]; // loginWithProvider
调用API一切都很好,我可以看到响应数据。
在服务器端(Node JS),我基本上要做三件事:
第一个是获取用户对象请求对象的ID:
req.azureMobile.user.getIdentity()。then((data)=> {
//获取用户对象ID
}
2nd,向< b>
我不断收到授权请求被拒绝,权限不足消息。错误为null,因此我知道其他所有步骤均正确执行。
我不知道为什么,因为一切都在进行,并且我检查了所有的AAD和Graph权限。
日志结果:
----- body ------
'{ odata.error:{ code: Authorization_RequestDenied, message:{ lang: en, value:特权不足,无法完成操作。}}}'
感谢您的帮助,感谢大家的宝贵时间
您可以尝试将您使用的AD应用程序的角色升级为管理员权限。在 PowerShell 中运行以下命令:
Connect-MsolService
$ ClientIdWebApp ='{your_AD_application_client_id}'
$ webApp = Get-MsolServicePrincipal –AppPrincipalId $ ClientIdWebApp
#使用Add-MsolRoleMember将其添加到公司管理员角色)。
Add-MsolRoleMember -RoleName公司管理员 -RoleMemberType ServicePrincipal -RoleMemberObjectId $ webApp.ObjectId
I have a question about "Authorization Request Denied - Insufficient privileges to complete the operation" message that I keep getting back from my requests to Windows Graph API.
Specifically, I'm working in Azure cloud. I have an iOS mobile app that invokes an API. I have turned on "Authentication for Active Directory" in my Portal.
Then, on the client side (iOS):
[self.todoService.client loginWithProvider:@"windowsazureactivedirectory"
controller:self
animated:YES
completion:^(MSUser *user, NSError *error) {
if(!error && user) {
[self refresh];
}
}]; //loginWithProvider
So returns a valid MSUser object. I see the web login controller appear, I sign in with my un/pw, and then it lets me access my Easy Table's data...etc.
Now, I want to invoke an Easy API that I've created in Azure called getUserData. Hence, I simply insert the invokeAPI code like this (iOS):
[self.todoService.client loginWithProvider:@"windowsazureactivedirectory"
controller:self
animated:YES
completion:^(MSUser *user, NSError *error) {
if(!error && user) {
//NSMutableDictionary * dict = [NSMutableDictionary dictionary];
//[dict setObject:@YES forKey:@"complete"];
NSLog(@"%s - %@", __FUNCTION__, user);
[self refresh];
[self.todoService.client invokeAPI:@"getUserData"
body:nil
HTTPMethod:@"POST"
parameters:nil
headers:nil
completion:^(id _Nullable result, NSHTTPURLResponse * _Nullable response, NSError * _Nullable error) {
NSLog(@"%s - API returned response! ", __FUNCTION__);
NSLog(@"%@", result); //TODO: user info here!! :D
}]; //invokAPI
} //if user returned from AAD login is valid
}]; //loginWithProvider
Everything is fine as the API is called and I can see the response data.
On the server side (Node JS), I basically do 3 things:
1st is to get the user object id from the request object:
req.azureMobile.user.getIdentity().then((data) => {
//get user object ID
}
2nd, make a request to https://login.windows.net to get an Access Token with a username/password.
var options = {
url: "https://login.windows.net/" + tenant_domain + "/oauth2/token?api-version=1.0",
method: 'POST',
form: {
grant_type: "client_credentials",
resource: "https://graph.windows.net",
client_id: clientID,
client_secret: key
}
};
req(options, function (err, resp, body) {
//get the result back
}
I get a whole bunch of data back including the Access Token.
3rd, make a request to https://graph.windows.net/, and provide this Access Token along with my User Object ID:
var options = {
url: "https://graph.windows.net/" + tenant_domain + "/users/" + objectId + "?api-version=1.0",
method: 'GET',
headers: {
"Authorization": "Bearer " + access_token
}
};
This is so that I can User data. Now, in a separate test Subscription, I set up all the basic read permissions for AAD and Graph in my AAD management. I successfully get the user's full data back like so:
user = {
accountEnabled = 1;
assignedLicenses = (
);
assignedPlans = (
);
city = xxxxxxxxx;
country = xxxxxxxxxx;
department = Dev;
dirSyncEnabled = "<null>";
displayName = xxxxxx;
facsimileTelephoneNumber = "<null>";
givenName = hehe;
jobTitle = "iOS dev";
lastDirSyncTime = "<null>";
mail = "<null>";
mailNickname = "xxxxxxxxxx.com#EXT#";
mobile = "+xx xxx xxxx 3852";
objectId = "xxxxxxx-2c70-4aab-b261-3b2b97dc5c50";
objectType = User;
"odata.metadata" = "https://graph.windows.net/xxxxxxxxxx.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element";
"odata.type" = "Microsoft.WindowsAzure.ActiveDirectory.User";
otherMails = (
"xxxxxxxxxxxx@gmail.com"
);
...etc
}
However, in another subscription, I did the exact same steps. Even going as far as checking all the permissions like so:
I keep getting an "Authorization Request Denied, Insufficient privileges" message. The error is null so I know everything else went through correctly.
I can't figure out why because everything processes through and I checked all of my AAD and Graph permissions.
log result:
-----body------
'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}'
Thanks for any help, and appreciate everyone's time
You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:
Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
这篇关于对MS Graph API的请求使我“授权请求被拒绝-权限不足,无法完成操作”。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
