OneDrive/SharePoint OAuth 无效受众错误 [英] OneDrive/SharePoint OAuth invalid audience error

问题描述

我的目标是编写一些代码，使 Office 365 用户能够通过 REST API 访问 OneDrive for Business 中的文件.我已在 Azure AD(Web 应用程序/多租户)中注册了一个应用程序，并添加了访问 SharePoint 在线的权限.我想使用使用 OAuth 委派用户身份"方案，其中我的应用程序使用用户模拟通过 REST API 访问 OneDrive for Business.

My goal is to write some code to enable an Office 365 user to access files in OneDrive for Business via REST API. I have registered an application in Azure AD (Web App/multi tenant) and added permissions to access SharePoint online. I want to use the "delegated user identity with OAuth" scenario where my app accesses OneDrive for Business via REST APIs using user impersonation.

应用清单中的权限如下:

The permissions in the app's manifest like this:

"oauth2Permissions": [{"adminConsentDescription": "允许应用代表登录用户访问 AppName.","adminConsentDisplayName": "AppName","id": "xxx",已启用":真，"origin": "应用程序","type": "用户","userConsentDescription": "允许应用代表您访问 AppName.","userConsentDisplayName": "AppName",值":user_impersonation"}

"oauth2Permissions": [ { "adminConsentDescription": "Allow the application to access AppName on behalf of the signed-in user.", "adminConsentDisplayName": "AppName", "id": "xxx", "isEnabled": true, "origin": "Application", "type": "User", "userConsentDescription": "Allow the application to access AppName on your behalf.", "userConsentDisplayName": "AppName", "value": "user_impersonation" }

应用程序请求 (OneDrive For Business) 用户登录 Office365 以获取授权代码(发送到注册的重定向 URL)并使用它来检索访问令牌(通过 POST 到我的应用程序的令牌端点).返回的 JWT 中的aud"字段设置为我的客户端 ID.对于 SharePoint Online，它应该类似于00000003-0000-0ff1-ce00-000000000000"吗?

The app requests the (OneDrive For Business) user to log into Office365 to get an authorization code (sent to the registered redirect URL) and use it to retrieve an access token (via a POST to my app's token endpoint). The "aud" field in the returned JWT is set to my client ID. Should it be something like "00000003-0000-0ff1-ce00-000000000000" instead for SharePoint Online ?

当我尝试在 https://{tenant}-my.sharepoint.com/_api/v1.0/me/上使用访问令牌作为请求标头中的承载者发出 GET 时，我得到一个错误 401:错误:无效的客户端"，错误:无效的受众 URI:https://{tenant}-my.sharepoint.com/".这表明某处存在配置错误，但我不知道需要更改什么.

When I try to issue a GET at https://{tenant}-my.sharepoint.com/_api/v1.0/me/ using the access token as a bearer in the header of the request, I get an error 401: "error: invalid client", "error: invalid audience URI:https://{tenant}-my.sharepoint.com/". This points to a configuration error somewhere but I cannot figure out what needs to change.

推荐答案

aud = 令牌的受众.当令牌颁发给客户端应用程序时，受众是客户端的 client_id.您可能想尝试使用 Discovery Service API 检查您的服务终结点 (https://msdn.microsoft.com/en-us/office/office365/howto/discover-service-endpoints).有错误显示受众 URI 无效，因此服务可能未在您调用的 URL 上运行(即 https://{tenant}-my.sharepoint.com/_api/v1.0/me/).按照上面的链接应该可以帮助您隔离问题.我希望这会有所帮助.

aud = Audience of the token. When the token is issued to a client application, the audience is the client_id of the client. You might want to try using the Discovery Service API to check your service endpoints (https://msdn.microsoft.com/en-us/office/office365/howto/discover-service-endpoints) . There error shows that the audience URI is invalid so the service might not be running on the URL that you are making the call to (i.e. https://{tenant}-my.sharepoint.com/_api/v1.0/me/). Following the link above should help you isolate the problem. I hope that helps.

这篇关于OneDrive/SharePoint OAuth 无效受众错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！