我尝试更新 Azure 中的应用注册以添加所需的 Graph 权限，并且我也尝试创建新的应用注册，无论我做什么，我的请求总是会响应 401 Unauthorized，有什么我遗漏的吗?来自邮递员的示例回复{错误": {"code": "InvalidAuthenticationToken","message": "访问令牌验证失败.",内部错误":{请求 ID":a142576b-acce-4e59-8a8d-adede61aaf59"，日期":2017-04-05T13:27:36"}}}C# 请求示例公共异步任务GetGroupIdByDisplayName(string displayName){var accessToken = await authenticationService.GetTokenUserOnly();GroupGraph groupGraphResponse = null;使用 (var client = new HttpClient()){使用 (var request = new HttpRequestMessage(HttpMethod.Get, $"https://graph.microsoft.com/v1.0/groups?$filter=from/displayName eq '{displayName}'")){request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);使用 (var response = client.SendAsync(request).Result){如果(响应.IsSuccessStatusCode){使用 (var content = response.Content){var result = await content.ReadAsStringAsync();groupGraphResponse = JsonConvert.DeserializeObject(result);}}}}}返回 groupGraphResponse;}我获取令牌的方式public async TaskGetTokenUserOnly(){string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;字符串tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;//在不触发任何用户交互的情况下获取 Graph 的令牌(来自缓存，通过多资源刷新令牌等)ClientCredential clientcred = new ClientCredential(clientId, appKey);//使用保存在应用程序数据库中的当前登录用户的令牌缓存初始化 AuthenticationContextAuthenticationContext authenticationContext = new AuthenticationContext(aadInstance + tenantID, new TableTokenCache(signedInUserID));//AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenSilentAsync(graphResourceID, clientcred, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));AuthenticationResult authenticationResult = authenticationContext.AcquireToken(graphResourceID, clientcred);返回 authenticationResult.AccessToken;} 解决方案 您不能使用 ADAL 来获取图形的令牌.microsoft.com.ADAL 用于图形.windows.net.为了获取 Graph 库 (graph.windows.com) 的令牌，请查看 Nuget 包 Microsoft.Graph.微软还有一些关于如何拉用户的文档信息使用 Graph.请注意，同时使用图形库和 ADAL 库可能会导致一些奇怪的副作用，例如凭据缓存被清除.I am working on an ASP.NET MVC5 Web App that uses Azure ADAL libraries to authenticate users, it works fine, however, when I manually send requests to graph, ex: GET https://graph.microsoft.com/v1.0/me or GET https://graph.microsoft.com/v1.0/groups?$filter=from/displayName eq 'whatever'.I have tried updating the App Registration in Azure as to add the required Graph permissions, and I have also tried creating new app registrations, no matter what I do my requests will always respond 401 Unauthorized, is there anything I am missing?EDIT: Example response from Postman{ "error": { "code": "InvalidAuthenticationToken", "message": "Access token validation failure.", "innerError": { "request-id": "a142576b-acce-4e59-8a8d-adede61aaf59", "date": "2017-04-05T13:27:36" } }}EDIT: C# Request Examplepublic async Task<GroupGraph> GetGroupIdByDisplayName(string displayName){ var accessToken = await authenticationService.GetTokenUserOnly(); GroupGraph groupGraphResponse = null; using (var client = new HttpClient()) { using (var request = new HttpRequestMessage(HttpMethod.Get, $"https://graph.microsoft.com/v1.0/groups?$filter=from/displayName eq '{displayName}'")) { request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken); using (var response = client.SendAsync(request).Result) { if (response.IsSuccessStatusCode) { using (var content = response.Content) { var result = await content.ReadAsStringAsync(); groupGraphResponse = JsonConvert.DeserializeObject<GroupGraph>(result); } } } } } return groupGraphResponse; }EDIT: The way I obtain the tokenpublic async Task<string> GetTokenUserOnly() { string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value; string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value; string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value; // get a token for the Graph without triggering any user interaction (from the cache, via multi-resource refresh token, etc) ClientCredential clientcred = new ClientCredential(clientId, appKey); // initialize AuthenticationContext with the token cache of the currently signed in user, as kept in the app's database AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance + tenantID, new TableTokenCache(signedInUserID)); //AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenSilentAsync(graphResourceID, clientcred, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId)); AuthenticationResult authenticationResult = authenticationContext.AcquireToken(graphResourceID, clientcred); return authenticationResult.AccessToken; } 解决方案 You can't use ADAL to get tokens for graph.microsoft.com. ADAL is for graph.windows.net.In order to get tokens for the Graph library (graph.windows.com) look into the Nuget Package Microsoft.Graph. Microsoft also has some documentation on how to pull user info using Graph.Be forewarned though, using Graph Libraries and ADAL libraries side by side can lead to some weird side effects, such as the credential cache being cleared. 这篇关于获取 Microsoft Graph API 的有效访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！ 上岸，阿里云！