请求Microsoft Graph委托权限时,没有为AD B2C用户返回访问令牌 [英] No access token returned for AD B2C user when requesting Microsoft Graph delegated permissions
问题描述
用户故事:假设有一个ADB2C用户,具有全局管理员角色,并且oid代号为 01234567-901a-bcde-f012-3456789abcde (不是真正的oid),我希望能够登录作为该用户,然后从"
在仅分配了Microsoft Graph权限范围的应用程序注册中,我使用邮递员来请求用于访问MS Graph的承载令牌.有一个Web重定向URI( https://oauth.pstmn.io/v1/callback ),一个客户端机密,并且访问令牌和ID令牌均已隐式授予.
请求的范围是: openid offline_access https://graph.microsoft.com/Directory.AccessAsUser.All
同样,B2C用户帐户具有全局管理员角色.
- 隐式流返回错误消息
AADB2C90205:此应用程序对此Web资源没有足够的权限来执行该操作.
- 当包括应用机密时,授权码流缺少访问承载令牌.有一个ID令牌和一个刷新令牌,但没有访问令牌.无论是否将授权发送到外部浏览器,都可以使用PKCE,也可以不使用.
我的租户中的应用具有用户流 B2C_1_postman ,这基本上是默认设置.它与邮递员,其他测试应用程序以及B2C刀片式服务器中的运行用户流程"功能配合良好.
身份验证端点为:
https://{Tenant} .b2clogin.com/{Tenant} .onmicrosoft.com/B2C_1_postman/oauth2/v2.0/authorize 令牌端点为:
https://{Tenant} .b2clogin.com/{Tenant} onmicrosoft.com/B2C_1_postman/oauth2/v2.0/token 我已经通过Microsoft github存储库中的几个桌面演示(现在是Postman)复制了此行为.该应用程序称为邮递员",位于ADB2C租户中.我授予了它的应用程序API范围:
Directory.AccessAsUser.All目录全部读取Directory.ReadWrite.All目录.电子邮件Directory.offline_accessDirectory.profile 此过程反映了 https://github上的桌面演示内容.com/Azure-Samples/active-directory-b2c-dotnet-desktop 进行设置,唯一的例外是我希望我的桌面应用程序使用MS Graph,而不是NodeJS示例应用程序.(如果我添加示例应用程序的端点,则此应用程序注册会很好.但是,指定MS Graph范围始终会返回一个空的访问ID.)
我该如何使用它?
通过Graph API管理用户似乎仍然需要使用应用程序权限.因此,您需要添加应用程序权限,而不是在B2C中向应用程序添加委派权限,在该应用程序中,您将Graph API称为应用程序,而不是代表用户.文档中的说明详细解释了应用程序注册:https://graph.microsoft.com/beta/me" or "https://graph.microsoft.com/beta/users/01234567-901a-bcde-f012-3456789abcde". Both are listed in the documentation as valid endpoints for B2C.
It's not working:
In an app registration with only Microsoft Graph permission scopes assigned, I used postman to request a bearer token for access to MS Graph. There is one Web redirect URI (https://oauth.pstmn.io/v1/callback), one client secret, and implicit grant is on for both access and id tokens.
The scopes requested are: openid offline_access https://graph.microsoft.com/Directory.AccessAsUser.All
Again, the B2C user account has the Global Administrator role.
- The Implicit flow returns the error message
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
- The Authorization Code flow, when the app secret is included, lacks an access bearer token. There is an ID token and a refresh token, but no access token. That's with and without PKCE, whether or not I send the authorization to an external browser.
The app in my tenant has a user flow, B2C_1_postman, which is basically default. It works just fine with postman, other test apps, and the "Run User Flow" function in the B2C management blade.
The auth endpoint is:
https://{Tenant}.b2clogin.com/{Tenant}.onmicrosoft.com/B2C_1_postman/oauth2/v2.0/authorize
The token endpoint is:
https://{Tenant}.b2clogin.com/{Tenant}onmicrosoft.com/B2C_1_postman/oauth2/v2.0/token
I've duplicated this behavior with a couple of desktop demos from Microsoft's github repository, and now with Postman. The app, called "postman", is in the ADB2C tenant. I granted it the app API scopes of:
Directory.AccessAsUser.All
Directory.Read.All
Directory.ReadWrite.All
Directory.email
Directory.offline_access
Directory.profile
This procedure mirrors what the desktop demo at https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop sets up, with the single exception being that instead of a NodeJS sample app, I want my desktop app to use MS Graph. (This app registration works just fine if I add the endpoints for the sample app. But specifying the MS Graph scopes always returns an empty access ID.)
How can I get this to work?
Managing users through Graph API still seems to require usage of application permissions. So instead of adding delegated permissions to the app in B2C, you need to add application permissions, where you call the Graph API as the app, not on behalf of the user. The instructions in the docs explain the app registration in detail: https://docs.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started
You need to give this app application permissions to Graph API, not delegated permissions. Then use those app credentials purely to call Graph API. And you need to use the underlying Azure AD's token endpoint instead of your B2C policy token endpoint.
Since your app is a desktop app (a public client app), you'll need to do the Graph API interactions in a back-end service to which you can authenticate with a B2C token acquired on behalf of the user.
这篇关于请求Microsoft Graph委托权限时,没有为AD B2C用户返回访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
