Microsoft Graph API 请求上的 Authorization_IdentityNotFound [英] Authorization_IdentityNotFound on Microsoft Graph API request

问题描述

我正在尝试在我的企业中开发应用程序，并且我已遵循 本教程 以访问 AD 用户信息.含义:

I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:

1. 我在 https://apps.dev.microsoft.com/ 中创建了一个应用程序
2. 我在 Application Permissions 中设置了 User.Read.All，在 Delegated Permissions 中设置了 User.Read李>

1. I created an app in https://apps.dev.microsoft.com/
2. I set User.Read.All in Application Permissions and User.Read in Delegated Permissions

完成此操作后，我能够成功登录(Azure AD OAuth2，https://graph.microsoft.com/ 作为资源，User.Read 作为范围) 并从 https://graph.microsoft.com/v1.0/me 获得正确响应.

With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.

1. 向管理员询问委派权限

这样，我的管理员可以在 azure 门户 中看到我的应用程序拥有自己同意的两个权限.

With this, my admin can see in the azure portal that my App has both permissions consented by himself.

这是有效的，因为我让一位同事登录，我可以从 https://graph.microsoft.com/v1.0/me 得到正确的响应，即使他不是甚至提示同意这一点(在管理员同意权限之前提示用户)

This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)

1. 从 https://login.microsoftonline.com/common/oauth2/token 请求令牌，其中 client_credentials 作为 response_type

1. Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type

收到令牌！

向 https://graph.microsoft.com/v1.0/users 发出 GET 请求并接收:

Do a GET request to https://graph.microsoft.com/v1.0/users and receive:

{
    "error": {
        "code": "Authorization_IdentityNotFound",
        "message": "The identity of the calling application could not be established.",
        "innerError": {
            "request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
            "date": "2017-03-22T19:19:48"
        }
    }
}

此外，向 https://graph.microsoft.com/v1.0/me 发出请求会返回:

Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:

{
  "error": {
    "code": "BadRequest",
    "message": "Current authenticated context is not valid for this request",
    "innerError": {
      "request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
      "date": "2017-03-22T19:39:25"
    }
  }
}

这让我相信微软知道这个令牌并且知道它没有冒充任何用户.

Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.

我一直在寻找有关 Azure AD 和 Microsoft Graph 身份验证的文档，但我只找到博客文章，而且所有文章似乎都已过时(尽管大多数功能都处于预览状态).如果你能指出我正确的方向，我会感谢你.

I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview). If you could point me in the right direction I would thank you.

我还发现 this 和 this 关于 SO 的类似问题，但都没有得到解答.

I've also found this and this similar questions on SO but they all remain unanswered.

更新，在这个答案

谢谢你，丹，我使用了我的组织域名，也可以获得令牌.

Thank you, Dan, I've used my organization domain name and I'm also able to get a token.

现在 https://graph.microsoft.com/v1.0/users/ 的响应是:

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
      "date": "2017-03-23T11:07:15"
    }
  }
}

这没有任何意义，因为在 azure 门户中，我将 User.Read.All 作为应用程序权限(已经得到管理员的同意).

Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).

我认为问题在于对令牌的请求，无论我发送的 scope 是什么，即使我编造了一个，它也会成功返回.

I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.

例如:

POST https://login.microsoftonline.com/<domain>/oauth2/token

client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar

返回:

{
  "token_type": "Bearer",
  "expires_in": "3599",
  "ext_expires_in": "0",
  "expires_on": "1490271617",
  "not_before": "1490267717",
  "resource": "https://graph.microsoft.com/",
  "access_token": *****
}

推荐答案

我遇到了两个问题，都没有涉及到文档:

I had two problems, both not covered documentation:

• 对于客户端凭据，如果应用属于工作或学校(组织)上下文，那么对于 https://login.microsoftonline.com/common/oauth2/token 将 common 替换为 tenantId 或域名(感谢 Dan Kershaw)

• For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)

对于 https://graph.microsoft.com/v1.0/users 或 https://graph.microsoft.com/v1.0/users/{编号 |userPrincipalName} 你需要 Directory.Read.All 权限.

For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.

注意:

当您在 OAuth 工作流中请求 User.Read 时，
• User.Read.All 与 Microsoft 停止向用户请求权限(委托)相关.在 Release备注.
• 我已将此 问题 添加到 Microsoft Graph Docs！

• User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
• I've added this issue to the Microsoft Graph Docs!

这篇关于Microsoft Graph API 请求上的 Authorization_IdentityNotFound的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！