问题描述
我正在尝试在企业中开发应用程序,并且遵循了本教程以获取对AD用户信息的访问权限.含义:
I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
- 我在 https://apps.dev.microsoft.com/
- 我在应用程序权限中设置了
User.Read.All
,并且在委派权限中设置了User.Read
- I created an app in https://apps.dev.microsoft.com/
- I set
User.Read.All
in Application Permissions andUser.Read
in Delegated Permissions
完成此操作后,我就可以成功登录(Azure AD OAuth2,其中https://graph.microsoft.com/
作为资源,User.Read
作为范围),并从https://graph.microsoft.com/v1.0/me
获得正确的响应.
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/
as resource and User.Read
as scope) and get a correct response from https://graph.microsoft.com/v1.0/me
.
- 向管理员询问委派权限
有了这个,我的管理员可以在 azure门户网站中看到我的应用拥有他自己同意的两个权限
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
之所以可行,是因为我要求一个同事登录,并且即使甚至没有提示他同意(在管理员同意提示用户之前),我仍然可以从https://graph.microsoft.com/v1.0/me
得到正确的答复 >
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me
even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
-
以
client_credentials
作为response_type
接收令牌!
对https://graph.microsoft.com/v1.0/users
进行GET请求并接收:
Do a GET request to https://graph.microsoft.com/v1.0/users
and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
此外,向https://graph.microsoft.com/v1.0/me
发出请求会返回:
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me
returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
这使我相信Microsoft知道此令牌,并且知道它没有冒充任何用户.
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
我一直在寻找有关Azure AD和Microsoft Graph身份验证的文档,但是我只找到博客文章,而且似乎都过时了(尽管大多数功能都在预览中).如果您能指出正确的方向,我将表示感谢.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).If you could point me in the right direction I would thank you.
我还找到了此和关于SO的与此类似的问题,但仍未得到答案.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
谢谢你,丹,我已经使用了我的组织域名,也能够获得令牌.
Thank you, Dan,I've used my organization domain name and I'm also able to get a token.
现在https://graph.microsoft.com/v1.0/users/
的响应是:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
这没有任何意义,因为在azure门户中,我具有User.Read.All
作为应用程序许可(已得到管理员的同意).
Which makes no sense because in the azure portal I have User.Read.All
as Application Permission (already consented by the admin).
我认为问题出在令牌请求上,即使我发送了scope
,该请求也会成功返回,即使我发送了一个令牌.
I think the problem is with the request for the token, that returns successfully no matter the scope
I send, even if I made one up.
例如:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
返回:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
推荐答案
我遇到了两个问题,都没有涵盖在文档中:
I had two problems, both not covered documentation:
-
对于客户凭据,如果该应用属于工作或学校(组织)上下文,则对于
https://login.microsoftonline.com/common/oauth2/token
,将common
替换为tenantId或域名(感谢丹·克肖)
For client credentials, if the app belongs to a work or school (organization) context then for
https://login.microsoftonline.com/common/oauth2/token
replacecommon
with a tenantId or domain name (thanks to Dan Kershaw)
对于https://graph.microsoft.com/v1.0/users
或https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}
,您需要Directory.Read.All
权限.
注意:
-
User.Read.All
与Microsoft有关,当您在OAuth工作流程中要求User.Read
时,Microsoft停止向用户请求权限(委托).在发布中检查此问题和其他与权限相关的问题注释. - 我已将此问题添加到Microsoft Graph文档中!
User.Read.All
is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask forUser.Read
in the OAuth workflow. Check this and other Permission related issues in the Release Notes.- I've added this issue to the Microsoft Graph Docs!
这篇关于Microsoft Graph API请求上的Authorization_IdentityNotFound的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!