掌握graph.microsoft.com错误的请求响应，失踪UPN和PUID索赔 [英] Getting Bad Request Response with graph.microsoft.com, missing UPN and PUID claims

问题描述

我们正在尝试使用Office 365统一的API，使对graph.microsoft.com请求。

We are trying to use the Office 365 Unified API to make requests against graph.microsoft.com.

认证是成功的，但访问令牌缺少UPN和PUID，这意味着对 HTTPS请求：//graph.microsoft.com/beta/me 失败。

Authentication is successful, but the access token is missing the UPN and PUID, which means that the request against https://graph.microsoft.com/beta/me fails.

验证code：

$code = $_GET['code'];
//build the request body
$tokenRequestBody = "grant_type=authorization_code&" .
    "redirect_uri=" . '<redirectURI>' . "&" .
    "client_id=" . '<cliendId>' . "&" .
    "client_secret=" . urlencode('<clientsecret>') . "&" .
    "resource=" . 'https://graph.microsoft.com' . "&" .
    "code=" . $code;


$request = curl_init("https://login.microsoftonline.com/0e06e1f9-24b3-4026-8bd0-2a6c28937df1/oauth2/token");
curl_setopt($request, CURLOPT_POST, 1);
curl_setopt($request, CURLOPT_POSTFIELDS, $tokenRequestBody);
curl_setopt($request, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

curl_setopt($request, CURLOPT_RETURNTRANSFER, true);

$tokenOutput = curl_exec($request);
$token = json_decode($tokenOutput);

图请求code：

Graph Request Code:

    $path = "https://graph.microsoft.com/beta/me";

    //perform a REST query for the user
    $request = curl_init($path);
    curl_setopt($request, CURLOPT_HTTPHEADER, array(
        "Authorization: Bearer ".$token->access_token
    ,
        "Accept: application/json"));

    curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($request);

德codeD访问令牌：

Decoded Access Token:

{
 typ: "JWT",
 alg: "RS256",
 x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
 kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
 aud: "https://graph.microsoft.com",
 iss: "https://sts.windows.net/0e06e1f9-24b3-4026-8bd0-2a6c28937df1/",
 iat: 1447345801,
 nbf: 1447345801,
 exp: 1447349701,
 acr: "1",
 altsecid: "1:live.com:0003BFFD977FF496",
 amr: [
  "pwd"
 ],
 appid: "<appid>",
 appidacr: "1",
 email: "<emailaddress>",
 family_name: "<familyname>",
 given_name: "<givenname>",
 idp: "live.com",
 ipaddr: "<ipaddress>",
 scp: "Calendars.Read Calendars.ReadWrite Contacts.Read Contacts.ReadWrite Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Files.Read Files.Read.Selected Files.ReadWrite Files.ReadWrite.Selected Group.Read.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read People.ReadWrite Sites.Read.All Sites.ReadWrite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All",
 sub: "5je0Jdv8442iS3rLXa-3a7KWSiKCyBrq9Q0c0d4sbBY",
 tid: "0e06e1f9-24b3-4026-8bd0-2a6c28937df1",
 unique_name: "<uniquename>",
 ver: "1.0"
}.
[signature]

图表请求响应：

{
  "error": {
    "code": "BadRequest",
    "message": "Missing UPN and PUID claims.",
    "innerError": {
      "request-id": "158c62f6-fece-4f64-bbb5-a1e691334daa",
      "date": "2015-11-12T14:09:40"
    }
  }
}

很想一些帮助这个！提前感谢。

Would love some help with this! Thanks ahead of time.

推荐答案

下面几点可以检查故障排除：

Here are several points you can check for troubleshooting:

1，在你的AD应用程序面板，单击用户选项卡来检查用户是否在您的Azure AD。

1, In your AD application panel, click USERS tab to check whether the user is in your Azure AD.

2，请检查同步了用户的程序是否成功是从上承诺AD或Office 365天青AD。您可以使用Office 365帐户登录Azure的门户网站，它会自动在Azure的AD在Azure上的门户它的第一次登录添加。此外，如果你得到的东西错了或UPN有冲突，你可能会遇到这个错误。

2, Please check whether the procedure of syncing up users is successfully from on-promise AD or Office 365 to Azure AD. You can login Azure portal using office 365 account, it will automatically be added in Azure AD by its first time login on Azure portal. Additionally, if you get something wrong or UPN has conflicts, you may encounter this error.

你可以尝试在PowerShell中下面的脚本添加应用服务主体和角色设置为你的应用程序：

And you can try the following script in Powershell add your Application Service Principal and set the Role for your application:

#-----------------------------------------------------------
# This will add your Application Service Prinicpal to 
# the Company Administrator role
#-----------------------------------------------------------
$msolcred=get-credential
connect-msolservice -credential $msolcred

$ClientIdWebApp = 'Your application client id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp

#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId 

您可以参考<一个href=\"https://msdn.microsoft.com/en-us/library/azure/81cc7f03-75d3-4343-aec4-57116017683a#BKMK_ManageService\"相对=nofollow>管理的Azure AD服务主体的有关详细信息，如何将用户的Azure AD PowerShell的。

You can refer to Manage Azure AD service principals for more information about how to user Azure AD Powershell.

此外，还可以参考深潜到Office 365统一的API 集成的Office 365，并检查prerequisites因为它在第一部分提到的。

Furthermore, you can refer to Deep Dive into the Office 365 Unified API for integrating office 365, and check the prerequisites as it mentioned at first section.

这篇关于掌握graph.microsoft.com错误的请求响应，失踪UPN和PUID索赔的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！