当应用程序权限读取共享点站点时，令牌中需要存在 scp 或角色声明 [英] Either scp or roles claim need to be present in the token using when application permissions to read sharepoint sites

问题描述

我在 Azure 中创建了一个应用程序并将其设置为使用访问和 ID 令牌.

I created an app in Azure and set it up to use Access and ID tokens.

我想连接到不同的租户并阅读 SharePoint 网站.以下是我请求并获得管理员同意的权限:

I want to connect to different tenants and read SharePoint sites. Here are the permissions I've requested and received Admin Consent for:

目前，我已经设置了一个 App Secret，但我计划稍后转移到证书.

For now, I have set up an App Secret but I do plan to move to a certificate later.

我有这个代码来获取访问令牌，我确实得到了一个访问令牌:

I have this code to get the access token and I do get an access token back:

const params = new URLSearchParams();
params.append("grant_type", "client_credentials");
params.append("scope", "https://graph.microsoft.com/.default");
params.append("client_id", process.env.client_id);
params.append("client_secret", process.env.client_secret);

var url = `https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token`;
const response = await fetch(url,
    {
        method: 'POST',
        body: params,
        headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
    }
);

但是当我尝试阅读下面的根站点时

However when I try to read the root site below

var url = "https://graph.microsoft.com/v1.0/sites?search=*";
const response = await fetch(url,
    {
        method: 'GET',
        headers: { 'Authorization': `Bearer ${access_token}` }
    }
);

我收到此错误:

error: { 
    code: 'AccessDenied',
    message: 'Either scp or roles claim need to be present in the token.',
    innerError: { 
        'request-id': 'ec47913f-2624-4d1c-9b27-5baf05ccebfd',
        date: '2019-08-16T14: 15: 37'
    }
}

我在 https://jwt.io/ 检查了令牌，确实我没有看到任何条目roles 或 scp.

I checked the token at https://jwt.io/ and indeed I do not see any entry for roles or scp.

我好像漏了一步，但我不知道是哪一步.

It looks like I missed a step but I cannot figure out which step.

我得到这样的令牌:

https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token 

我做错了什么?

推荐答案

首先要了解的是，您不能同时获得 Application 和 Delegated 权限，这是一个非此即彼的场景.您收到的类型完全取决于您用于请求令牌的 OAuth 授权:

The first thing to understand is that you cannot receive both Application and Delegated permissions in the same token, it is an either/or scenario. Which type you receive depends entirely on which OAuth Grant you used to request the token:

• 授权代码和隐式返回具有 scp 属性的委托令牌
• 客户端凭据返回具有 roles 属性的应用程序令牌

• Authorization Code and Implicit return Delegated tokens with an scp property
• Client Credentials return Application tokens with a roles property

第二件事是您请求了两个不同 API 的范围.根据您的选择，您将无法通过 Microsoft Graph 访问 SharePoint，因为您只请求访问旧 SharePoint API.更重要的是，您只为 Graph 请求了 Delegated User.Read 范围，因此当您使用客户端凭据获取令牌时，该令牌将没有任何权限.

The second thing is that you've requested scopes to two different APIs. Based on what you've selected, you won't have access to SharePoint through the Microsoft Graph because you've only requested access to the legacy SharePoint API. More importantly, you've only requested the Delegated User.Read scope for Graph so when you use Client Credentials to obtain the token, that token won't have any permissions.

为了获得用于阅读 SharePoint 网站的应用程序令牌，您需要 Sites.Read.All Microsoft Graph 应用程序权限已选中.

In order to obtain an Application token for reading SharePoint sites, you'll need Sites.Read.All Microsoft Graph Application permission selected.

这篇关于当应用程序权限读取共享点站点时，令牌中需要存在 scp 或角色声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！