使用client_credentials Azure AD Graph API进行授权时遇到麻烦 [英] Trouble with authorization using client_credentials Azure AD Graph API

问题描述

我正在尝试将OAuth client_credentials 与 Windows Microsoft Azure一起使用。我可以成功生成一个 access_token ，但在尝试访问 https://graph.windows.net/mydomain.com/users?api- version = 2013-04-05 我得到了 403 Forbidden 。

我在做什么错？我认为我没有要求获得足够授权的 access_token ，但是我找不到/猜测其他资源或要添加的参数。

我当前的流量

请求

 > POST /mydomain.com/oauth2/令牌HTTP / 1.1 
>主持人：login.windows.net 
>内容类型：application / x-www-form-urlencoded 
 grant_type = client_credentials 
& client_id = {client_id} 
& client_secret = {client_secret} 
& resource = https://graph.windows.net 
  

响应

 < HTTP / 1.1 200 OK 
<内容类型：application / json; charset = utf-8 
 {
 access_token：< string>，
 token_type： Bearer，
 expires_in：< seconds> ，
 expires_on：< timestamp>，
资源： https://graph.windows.net 
} 
  

请求

 > GET /mydomain.com/users 
> ？api-version = 2013-04-05 HTTP / 1.1 
>主持人：graph.windows.net 
>授权：Bearer {access_token} 
  

响应

 < HTTP / 1.1 403禁止
 {
 odata.error：{
 code： Authorization_RequestDenied，
 message：{
 lang：  en，
值：特权不足，无法完成操作。 
} 
} 
} 
  

注意：我得到403未经授权如果我错过或弄乱 {access_token} 。

解决方案

根据我的评论，您需要确保从门户的其他应用程序的权限下拉菜单中选择了适当的权限，否则将不会授予访问权限。有关更多信息，请参见此页面。 / p>

I am trying to use OAuth client_credentials with Windows Microsoft Azure. I can successfully generate an access_token but get when I try and access https://graph.windows.net/mydomain.com/users?api-version=2013-04-05 I get 403 Forbidden.

What am I doing wrong? I think I'm not requestion a sufficiently authorized access_token but I cannot find/guess other resource or params to add.

My current flow

Request

> POST /mydomain.com/oauth2/token HTTP/1.1
> Host: login.windows.net
> Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id={client_id}
&client_secret={client_secret}
&resource=https://graph.windows.net

Response

< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
{
  "access_token": "<string>",
  "token_type": "Bearer",
  "expires_in": "<seconds>",
  "expires_on": "<timestamp>",
  "resource": "https://graph.windows.net"
}

Request

> GET /mydomain.com/users
>   ?api-version=2013-04-05 HTTP/1.1
> Host: graph.windows.net
> Authorization: Bearer {access_token}

Response

< HTTP/1.1 403 Forbidden
{
  "odata.error": {
    "code": "Authorization_RequestDenied",
    "message": {
        "lang": "en",
        "value": "Insufficient privileges to complete the operation."
    }
  }
}

Note: I get 403 Unauthorized if I miss out or mess with the {access_token}.

解决方案

Per my comment, you need to make sure that you've selected the proper permissions from the "permissions to other applications" drop-down in the portal, otherwise access won't be granted. See this page in the documentation for more information.

这篇关于使用client_credentials Azure AD Graph API进行授权时遇到麻烦的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！