程序员经验分享-hwhale

如何在客户端授权的情况下使用 Microsoft.Graph 并且不会收到 401

2023-12-25

We have

  • 创建了 Azure Active Directory
  • 创建了一个新的应用程序
  • 在 Azure AD 中注册新应用程序
  • 授予 API 的所有权限
  • 授予管理员权限

现在我们使用此应用程序凭据登录

我们获得授权:

GET /1111111-aaaa-4fd3-bf32-9bfc460f67b1/oauth2/v2.0/authorize HTTP/1.1
Host: login.microsoftonline.com
cache-control: no-cache
Postman-Token: 111111-aaaa-4696-9828-9110670706c5

我们得到令牌:

POST /11111111-aaaa-4fd3-bf32-9bfc460f67b1/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 11111111-aaaa-47e4-b2fb-6b94cd02312a
client_id=11111111-aaaa-482e-ab17-86e4c2c6240c
scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
client_secret=aaaaaaaaaaaDJk6jBJ%2FuBRJM6AFxyFIDMKn867hmvU%3D
grant_type=client_credentials

使用 jwt.io 分析的令牌:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/1111111-ccc6-4fd3-bf32-9bfc460f67b1/",
  "iat": 1541603660,
  "nbf": 1541603660,
  "exp": 1541607560,
  "aio": "42RgYFB+/Gyh8uF3yl+uKU7km//kFwA=",
  "app_displayname": "ToDoListService",
  "appid": "1111111-4e99-482e-ab17-86e4c2c6240c",
  "appidacr": "1",
  "idp": "https://sts.windows.net/1111111-ccc6-4fd3-bf32-9bfc460f67b1/",
  "oid": "1111111-98fb-4a47-af7f-d3800dde2f7b",
  "roles": [
    "Chat.UpdatePolicyViolation.All",
    "Calls.JoinGroupCall.All",
    "EduRoster.Read.All",
    "OnlineMeetings.Read.All",
    "Mail.ReadWrite",
    "OnlineMeetings.ReadWrite.All",
    "Device.ReadWrite.All",
    "User.ReadWrite.All",
    "Domain.ReadWrite.All",
    "Application.ReadWrite.OwnedBy",
    "SecurityEvents.Read.All",
    "Calendars.Read",
    "EduAssignments.ReadWrite.All",
    "People.Read.All",
    "Application.ReadWrite.All",
    "Calls.InitiateGroupCall.All",
    "Group.Read.All",
    "Directory.ReadWrite.All",
    "EduAssignments.ReadWriteBasic.All",
    "MailboxSettings.Read",
    "EduAdministration.Read.All",
    "Calls.JoinGroupCallAsGuest.All",
    "Sites.Read.All",
    "Sites.ReadWrite.All",
    "Contacts.ReadWrite",
    "Group.ReadWrite.All",
    "Sites.Manage.All",
    "SecurityEvents.ReadWrite.All",
    "Notes.Read.All",
    "User.Invite.All",
    "EduRoster.ReadWrite.All",
    "Files.ReadWrite.All",
    "Directory.Read.All",
    "User.Read.All",
    "EduAssignments.ReadBasic.All",
    "EduRoster.ReadBasic.All",
    "Files.Read.All",
    "Mail.Read",
    "Chat.Read.All",
    "ChannelMessage.Read.All",
    "EduAssignments.Read.All",
    "Calendars.ReadWrite",
    "identityriskyuser.read.all",
    "EduAdministration.ReadWrite.All",
    "Mail.Send",
    "ChannelMessage.UpdatePolicyViolation.All",
    "MailboxSettings.ReadWrite",
    "Contacts.Read",
    "IdentityRiskEvent.Read.All",
    "AuditLog.Read.All",
    "Member.Read.Hidden",
    "Calls.AccessMedia.All",
    "Sites.FullControl.All",
    "Reports.Read.All",
    "Calls.Initiate.All",
    "Notes.ReadWrite.All"
  ],
  "sub": "1111111-98fb-4a47-af7f-d3800dde2f7b",
  "tid": "1111111-ccc6-4fd3-bf32-9bfc460f67b1",
  "uti": "hxPwbjRRm0y6SI8hxuckAA",
  "ver": "1.0",
  "xms_tcdt": 1541414851
}

您可以看到我们获得了所有必要的权限。

这个请愿书有效:

https://graph.microsoft.com/v1.0/Users/

or

https://graph.microsoft.com/beta/Users/

但不是这个:

https://graph.microsoft.com/beta/Users/<user-id>/Calendars

也不是这个:

https://graph.microsoft.com/beta/users/<user-id>/sendMail

他们都返回 401:

{
  "error": {
    "code": "UnknownError",
    "message": "",
    "innerError": {
      "request-id": "019ddc83-6528-4f19-95cc-8b99ea53a046",
      "date": "2018-11-07T16:03:55"
    }
  }
}

我认为我们已经获得了所有必要的许可、配置...等等...那么为什么它不起作用呢? :'(

[UPDATE]

详细调用获取日历

GET /v1.0/Users/<user-id>/Calendars HTTP/1.1
cache-control: no-cache
Postman-Token: xxxxxxxxxxxxxxxxxxxxxxx
Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-Agent: PostmanRuntime/7.3.0
Accept: */*
Host: graph.microsoft.com
accept-encoding: gzip, deflate
Connection: close

Response

HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
request-id: 11111111-aaaa-aaaa-a115-e09bb6f09917
client-request-id: 11111111-aaaa-aaaa-a115-e09bb6f09917
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"SliceC","Ring":"3","ScaleUnit":"001","Host":"AGSFE_IN_34","ADSiteName":"NEU"}}
Duration: 377.0084
Strict-Transport-Security: max-age=31536000
Date: Thu, 08 Nov 2018 09:16:03 GMT
Connection: close

c6
{
  "error": {
    "code": "UnknownError",
    "message": "",
    "innerError": {
      "request-id": "2bb9a7c1-f8a3-4c1f-a115-e09bb6f09917",
      "date": "2018-11-08T09:16:04"
    }
  }
}
0

让我首先注意到您已在公共论坛上发布了客户机密:)并且对您的租户拥有豪华许可。我希望您现在已经更改了客户端密钥。

但回到你的问题 - 我将不得不问得更详细一些,以便更好地了解你的实际结果:

  1. 根据您的 JWT 打印输出,您将获得 V1 令牌,但使用客户凭证流(字段“ver”设置为 1.0)。微软文档在这里无需用户即可访问 https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service明确指出在这种情况下您应该使用 V2 令牌来访问 Microsoft Graph。所以第一个问题是:您是否使用 V2 门户创建了 Azure 应用程序:https://apps.dev.microsoft.com/ https://apps.dev.microsoft.com/?如果不是,那么这可能就是问题所在。
  2. 手动测试时更常见的问题 - 您是否确保从 /token 端点获取令牌到测试 API 调用期间令牌没有过期?
  3. 如果以上都不是 - 请将您的请求发送至https://graph.microsoft.com/beta/Users/ https://graph.microsoft.com/beta/Users//日历端点详细,魔鬼可能就在细节中
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

Azure

Outlook

azureactivedirectory

Office365

microsoftgraphapi

如何在客户端授权的情况下使用 Microsoft.Graph 并且不会收到 401 的相关文章

随机推荐

热门标签