Microsoft Graph API 令牌验证失败 [英] Microsoft Graph API token validation failure

问题描述

我会在我的 Angular Web 应用程序中使用 Microsoft Graph API.

I would use Microsoft Graph API in my Angular Web application.

首先我使用 msal 库当我尝试使用我的个人资料登录时，出现此错误

First I make connexion using msal library When I try log in with my profil I get this error

我已将我的应用程序配置为官方 git 示例

I have configured my app as the mentionned in the official git sample

MsalModule.forRoot({
  clientID: "Tenant ID",
  authority: "https://login.microsoftonline.com/common/",
  redirectUri: "http://localhost:4200/",
  validateAuthority : true,
  popUp: true
}),

身份验证有效，我得到了令牌.

Authetification is working and I get the token.

然后，当我在主页中时，我向 Microsoft Graph API 发出第二个请求，以使用该令牌获取用户信息.

Then when I'm in home page I make a second request to Microsoft Graph API to get user information using that token.

getProfile() {
  let header= new Headers();
  let tokenid= sessionStorage.getItem('msal.idtoken'); 
  header.set('Authorization', 'Bearer ' + tokenid)
  let url ="https://graph.microsoft.com/v1.0/me/"
  return this.http.get(url,{headers:header});
}

}

我收到一个 401 Unauthorized 错误响应:

I get an 401 Unauthorized error with a response :

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure.",
    "innerError": {
      "request-id": "xxxxxx",
      "date": "2018-10-09T22:58:41"
    }
  }
}

我不知道为什么 MG API 不接受我的令牌，是我使用了错误的权限 url 吗?

I don't know why MG API is not accepting my token, Am I using wrong authority url ?

更新:我知道实际上我得到了与访问令牌不同的 id_token.如何从 MSAL 库中获取访问令牌以进行 MS GRAPH API 调用?:

UPDATE: I have understood that actually I get id_token which is different from access token. How can I get Access token from MSAL library to make MS GRAPH API calls ?:

推荐答案

问题是您使用的是 id_token 而不是访问令牌:

The issue is that you're using the id_token instead of the access token:

let tokenid= sessionStorage.getItem('msal.idtoken');

变成这样:

让 tokenid= sessionStorage.getItem('msal.token');//或 msal.accesstoken

更新(根据菲利普的评论)

您需要选择要在应用程序中定位的范围.因此，您似乎需要用户配置文件，因此您需要添加许可范围属性来指定您的应用将使用哪些范围:

You need to select the scopes that you want to target in your application. So, it looks like you want the user profile, so you'll want to add the consentScopes property to specify which scopes your app will use:

MsalModule.forRoot({
  clientID: "Tenant ID",
  authority: "https://login.microsoftonline.com/common/",
  redirectUri: "http://localhost:4200/",
  validateAuthority : true,
  popUp: true,
  consentScopes: ["user.read"]
}),

这篇关于Microsoft Graph API 令牌验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！