使用图谱API在Azure Active Directory中创建应用程序失败 [英] Create application in Azure Active Directory using graph API fails
问题描述
我正在尝试使用Azure Active Directory Graph API(与Azure GraphClient nuget程序包一起)在Azure AD中创建一个新应用程序.
I'm trying to use the Azure Active Directory Graph API (with the Azure GraphClient nuget package) to create a new application in Azure AD.
我已经使用现有的AAD应用程序进行了身份验证,因此我对该目录具有写权限.
I've authenticated using an existing AAD application, so I have write access to the directory.
但是,当创建新的应用程序对象时,Azure Graph API返回此错误:
However, when creating the new application object the Azure Graph API returns this error:
{"odata.error": {
"code":"Request_BadRequest",
"message": {
"lang":"en",
"value":"Property value cannot have duplicate id or claim values."
},
"values":
[{
"item":"PropertyName",
"value":"None"
},
{
"item":"PropertyErrorCode",
"value":"DuplicateValue"
}
]
}
}
它没有说哪个属性具有重复的ID或声明值-错误消息中有两个空格,好像缺少名称一样.
It doesn't say which property has a duplicate id or claim value - there are two spaces in the error message as if the name is missing.
创建Application对象的代码是这样的:
The code which creates the Application object is this:
var appname = "Test Application create " + DateTime.Now.Ticks;
var application = new Application()
{
AvailableToOtherTenants = false,
DisplayName = appname,
ErrorUrl = null,
GroupMembershipClaims = null,
Homepage = "http://www.domain.com",
IdentifierUris = new List<string>() {{"https://domain.com/"+ appname } },
KeyCredentials = new List<KeyCredential>(),
KnownClientApplications = new List<Guid>(),
LogoutUrl = null,
Oauth2AllowImplicitFlow = false,
Oauth2AllowUrlPathMatching = false,
Oauth2Permissions = new List<OAuth2Permission>()
{
{
new OAuth2Permission()
{
AdminConsentDescription =
$"Allow the application to access {appname} on behalf of the signed-in user.",
AdminConsentDisplayName = $"Access {appname}",
Id = Guid.NewGuid(),
IsEnabled = true,
Type = "User",
UserConsentDescription =
$"Allow the application to access {appname} on your behalf.",
UserConsentDisplayName = $"Access {appname}",
Value = "user_impersonation"
}
}
},
Oauth2RequirePostResponse = false,
PasswordCredentials = new List<PasswordCredential>(),
PublicClient = false,
ReplyUrls = new List<string>(),
RequiredResourceAccess = new List<RequiredResourceAccess>(),
SamlMetadataUrl = null,
ExtensionProperties = new List<ExtensionProperty>(),
Manager = null,
ObjectType = "Application",
DeletionTimestamp = null,
CreatedOnBehalfOf = null,
CreatedObjects = new List<DirectoryObject>(),
DirectReports = new List<DirectoryObject>(),
Members = new List<DirectoryObject>(),
MemberOf = new List<DirectoryObject>(),
Owners = new List<DirectoryObject>(),
OwnedObjects = new List<DirectoryObject>()
};
await client.Applications.AddApplicationAsync(application);
我想念财产吗?似乎没有任何非唯一属性,并且应用程序是用唯一名称创建的.
Am I missing a property? There doesn't seem to be any non-unique properties, and the application is created with a unique name.
推荐答案
错误消息确实非常令人困惑,但是问题是您正在尝试定义 scope 值(user_impersonation)已经定义了.
The error message is indeed very confusing, but the problem is that you are trying to define a scope value (user_impersonation) that is already defined.
如果运行此代码,则会发现该应用程序已在目录中成功创建:
If you run this code, you'll find that the application is created successfully in your directory:
var appname = "Test Application create " + DateTime.Now.Ticks;
var application = new Application()
{
AvailableToOtherTenants = false,
DisplayName = appname,
ErrorUrl = null,
GroupMembershipClaims = null,
Homepage = "http://www.domain.com",
IdentifierUris = new List<string>() {{"https://domain.com/"+ "Test" } },// CHANGED LINE
KeyCredentials = new List<KeyCredential>(),
KnownClientApplications = new List<Guid>(),
LogoutUrl = null,
Oauth2AllowImplicitFlow = false,
Oauth2AllowUrlPathMatching = false,
Oauth2Permissions = new List<OAuth2Permission>()
{
{
new OAuth2Permission()
{
AdminConsentDescription =
$"Allow the application to access {appname} on behalf of the signed-in user.",
AdminConsentDisplayName = $"Access {appname}",
Id = Guid.NewGuid(),
IsEnabled = true,
Type = "User",
UserConsentDescription =
$"Allow the application to access {appname} on your behalf.",
UserConsentDisplayName = $"Access {appname}",
Value = "custom_scope" // CHANGED LINE
}
}
},
Oauth2RequirePostResponse = false,
PasswordCredentials = new List<PasswordCredential>(),
PublicClient = false,
ReplyUrls = new List<string>(),
RequiredResourceAccess = new List<RequiredResourceAccess>(),
SamlMetadataUrl = null,
ExtensionProperties = new List<ExtensionProperty>(),
Manager = null,
ObjectType = "Application",
DeletionTimestamp = null,
CreatedOnBehalfOf = null,
CreatedObjects = new List<DirectoryObject>(),
DirectReports = new List<DirectoryObject>(),
Members = new List<DirectoryObject>(),
MemberOf = new List<DirectoryObject>(),
Owners = new List<DirectoryObject>(),
OwnedObjects = new List<DirectoryObject>()
};
await client.Applications.AddApplicationAsync(application);
此外,您的IdentifierUris不能包含空格,因此我将其更改为硬编码字符串.
Also, your IdentifierUris cannot contain spaces, so I've changed it to a hardcoded string.
HTH
这篇关于使用图谱API在Azure Active Directory中创建应用程序失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
