[英]azure active directory graph REST api call through SP.WebRequestInfo on SharePoint Online
Trying to make a REST call through SharePoint's SP.WebRequestInfo. 尝试通过SharePoint的SP.WebRequestInfo进行REST调用。
I'm getting the error "The remote server returned the following error while establishing a connection - 'Unauthorized'." 我收到错误消息“远程服务器在建立连接时返回以下错误-'未经授权'。” trying to call https://graph.windows.net/[Client]/users?api-version=2013-11-0 . 尝试致电https://graph.windows.net/[Client]/users?api-version=2013-11-0 。
I've successfully retrieved a access token. 我已成功检索访问令牌。
Can you help me out why i'm getting this error? 您能帮我解决为什么出现此错误的原因吗?
Here is the code i'm using: 这是我正在使用的代码:
var url = "https://graph.windows.net/xxx/users/?api-version=2013-11-08";
var context = SP.ClientContext.get_current();
var request = new SP.WebRequestInfo();
request.set_url(url);
request.set_method("GET");
request.set_headers({
"Authorization": token.token_type + " " + token.access_token,
"Content-Type": "application/json"
});
var response = SP.WebProxy.invoke(context, request);
context.executeQueryAsync(successHandler, errorHandler);
function successHandler() {
if (response.get_statusCode() == 200) {
var responseBody = JSON.parse(response.get_body());
deferred.resolve(responseBody);
} else {
var httpCode = response.get_statusCode();
var httpText = response.get_body();
deferred.reject(httpCode + ": " + httpText);
}
}
The code for retrieving the token is: 检索令牌的代码是:
this.getToken = function (clientId, clientSecret) {
var deferred = $q.defer();
var resource = "https://graph.windows.net";
var formData = "grant_type=client_credentials&resource=" + encodeURIComponent(resource) + "&client_id=" + encodeURIComponent(clientId) + "&client_secret=" + encodeURIComponent(clientSecret);
var url = "https://login.windows.net/xxxxxx.onmicrosoft.com/oauth2/token?api-version=1.0";
var context = SP.ClientContext.get_current();
var request = new SP.WebRequestInfo();
request.set_url(url);
request.set_method("POST");
request.set_body(formData);
var response = SP.WebProxy.invoke(context, request);
context.executeQueryAsync(successHandler, errorHandler);
function successHandler() {
if (response.get_statusCode() == 200) {
var token = JSON.parse(response.get_body());
deferred.resolve(token);
} else {
var httpCode = response.get_statusCode();
var httpText = response.get_body();
deferred.reject(httpCode + ": " + httpText);
}
}
function errorHandler() {
deferred.reject(response.get_body());
}
return deferred.promise;
};
Erik, something is strange here - you are using the client credential flow from a JavaScript client - this reveals the secret issued to the client app to the user of the JS app. Erik,这里有些奇怪-您正在使用来自JavaScript客户端的客户端凭据流-这会将发布给客户端应用程序的秘密透露给JS应用程序的用户。
The client credential flow also requires the directory admin to grant directory read permission to the client application - not sure if this was already configured - nevertheless it must only be used with a confidential client, not a public client like a JS app. 客户端凭证流还需要目录admin向客户端应用程序授予目录读取权限-不确定是否已配置-但是,它只能与机密客户端一起使用,而不能与JS应用程序这样的公共客户端一起使用。
Azure AD does not yet implement the implicit_grant oauth flow using which a JS client app can acquire an access token on behalf of the user over redirect binding (in the fragment). Azure AD尚未实现hidden_grant oauth流,JS客户端应用可使用该隐式oauth流通过重定向绑定(在片段中)代表用户获取访问令牌。 This is a hugh-pro requirement that we're working on - stay tuned. 这是我们正在努力的一项非常严格的要求-请继续关注。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.