MS Graph,守护程序应用程序 401 在 Files.ReadWrite.All 调用上未经授权 [英] MS Graph, daemon app 401 unauthorized on Files.ReadWrite.All calls
问题描述
更新:我已收到 Microsoft 的通知,指出此问题是 Graph API 中的错误.他们正在研究解决方案.
UPDATE: I've received notice from Microsoft that this problem is a bug in the Graph API. They're working on a solution.
我正在使用新的 v2.0 OAuth 流程对我的应用进行身份验证,以便与 Microsoft Graph 一起使用,使其能够列出任何用户文件、下载和上传任何用户 OneDrive 中的文件以及设置文件权限.这无需用户登录,即作为服务帐户/守护程序运行.
I'm using the new v2.0 OAuth flow to authenticate my app for use with Microsoft Graph to make it able to list any users files, download and upload files in any users OneDrive and set permissions to files. This without the user being logged in, that is running it as a service account/daemon.
我在新的应用程序注册门户中设置了一个新的融合应用程序".我已经设置了所有必要的范围/应用程序权限,包括 Files.ReadWrite.All.(我实际上检查了所有可能的框......).在 Microsoft Graph 文档中,这应该是调用我感兴趣的端点时唯一需要的范围:
I've set up a new "Converged application" in the new Application Registration Portal. I've set all necessary scopes/application permission, including Files.ReadWrite.All. (I actually checked all possible boxes...). In the Microsoft Graph docs this should be the only scope necessary when calling the endpoints I'm interested in:
/v1.0/users/{userID}/drive
/v1.0/users/{userID}/drive/items/{ItemID}/children
/v1.0/users/{userID}/drive/items/{ItemID}/content
/v1.0/users/{userID}/drive/items/{ItemID}/invite
/v1.0/users/{userID}/drive/items/{ItemID}/createLink
然后我遵循 客户凭证流程,包括向应用程序授予管理员同意,以便在我的公司租户中使用.
Then I've followed the documentation for the Client Credentials flow, including giving Admin Consent to the app for use in my company tenant.
我已成功收到访问令牌.收到访问令牌后,我在 jwt.io 仔细检查了令牌实际上包含所有范围(包括.Files.ReadWrite.All).
I'm successfully receiving an access token. After receiving the access token I've double checked at jwt.io that the token actually contains all scopes (incl. Files.ReadWrite.All).
我可以使用此访问令牌来获取任何用户的驱动器并列出任何用户文件(上面列出的前两个端点).我还尝试获取任何工作正常的用户文件的缩略图.但是,当我尝试下载文件、向文件添加权限或创建共享链接(上面列出的最后三个端点)时,我会收到 401 Unauthorized 错误.由此,我假设范围 Files.Read.All 工作正常,但范围 Files.ReadWrite.All 不工作.
I'm able to use this access token to get any user's drive and list any users files (the first two endpoints listed above). I've also tried to get thumbnails of any users files which works fine. But as soon as I try to download a file, add permissions to a file or create a Sharing Link (the last three endpoints listed above), I receive an 401 Unauthorized error. From this, I assume the scope Files.Read.All works fine, but the scope Files.ReadWrite.All is not working.
至于我可以从 Scopes 文档中了解的内容,我尝试使用的范围应该可以工作.在需要管理员同意的应用程序权限"部分,它将 Files.ReadWrite.All 描述为:
As to what I can understand from the Scopes documentation, the scopes I'm trying to use should work. It the "App-only permissions requiring administrator's consent" section, it describes Files.ReadWrite.All as:
允许应用在没有登录用户的情况下读取、创建、更新和删除所有网站集中的所有文件.
Allows the app to read, create, update and delete all files in all site collections without a signed in user.
我碰壁了.新的 v2.0 OAuth 令牌和/或 Microsoft Graph 是否存在关于我缺少的仅限应用程序访问的限制?
推荐答案
为那些偶然发现这个问题的人关闭循环.在上传或更改文件权限时,Files.ReadWrite.All 在 App-Only 场景中存在问题.
Closing the loop for those who stumble on this question. There was an issue with Files.ReadWrite.All in App-Only scenarios when it came to uploading or changing permissions of a file.
与下载的问题无关.下载文件时的授权错误源于在下载请求中传递了授权标头.`/content/端点返回可用于下载文件的 URL.这是一个短时间存在的预授权 URL.在该请求中传递 Authorization 标头会导致错误,因为它不希望收到这样的标头,也无法确定它应该使用哪些凭据(超级简化,但这是一般的想法).
The issue with downloading is unrelated. Authorization errors when downloading a file stem from passing an Authorization header in the download request. The `/content/ endpoint returns a URL that can be used to download the file. This is a pre-authorized URL that exists for a short period of time. Passing an Authorization header in that request results in an error since it doesn't expect to receive such a header, nor can it determine which credentials it should use (super-oversimplification but this the general idea).
这篇关于MS Graph,守护程序应用程序 401 在 Files.ReadWrite.All 调用上未经授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
