访问被拒绝。 检查凭据，然后重试

Question

I am trying to access calendar events using the Microsoft Graph API (https://graph.microsoft.com/v1.0/me/calendarView) on node.js following this permissions guide but I receive the error response :

{
   "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again.",
    "innerError": {
      "request-id": "7c2...",
      "date": "2016-07-13T21:19:11"
    }
}

The call was made with using :

request({url : 'https://graph.microsoft.com/v1.0/me/calendarview',  qs : queryParams, 'auth': {'bearer': token}}, function (error, response, body) {
    ...
});

The request has a valid token and the call to .../me/ via

request({url : 'https://graph.microsoft.com/v1.0/me/', 'auth': {'bearer': token}}, function (error, response, body) {
    ...
});

returns :

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id":"<valid_id>",
"businessPhones":[],
"displayName":"<valid_name>",
"givenName":"<valid_name>",
"jobTitle":"<valid_title>",
"mail":"<valid_email>",
"mobilePhone":"<valid_cell>",
"officeLocation":null,
"preferredLanguage":"en-US",
"surname":"<valid_name>",
"userPrincipalName":"<valid_email>"}

So I am assuming this is an issue with permissions set on https://manage.windowsazure.com/ where I created two applications, one for the node server and one for the web client application. I am using passport for authentication and the client id and secret for the web client application.

var AzureOAuthStrategy = require('passport-azure-oauth').Strategy;
passport.use(new AzureOAuthStrategy({
    clientId:     config.live.clientID,
    clientSecret: config.live.clientSecret,
    tenantId:     config.live.tenant,
    resource:     'https://graph.microsoft.com/', 
    redirectURL:  config.live.callbackURL
},
function(accessToken, refreshToken, profile, done) {

Here is what I set for "permissions to other applications" on the node application :

• Windows Azure Active Directory :
  • Delegated Permissions
    • Read all users' full profiles
    • Sign in and read user profile
• Microsoft graph :
  • Delegated Permissions
    • Have full access to user calendars
    • Read user calendars
• (see below)
  • Delegated Permissions
    • Access

Here is what I set for "permissions to other application" on the web client application :

• Microsoft Graph :
  • Application Permissions
    • Read and write calendars in all mailboxes
    • Read calendars in all mailboxes
  • Delegated Permissions
    • Sign users in
    • Read user contacts
    • Have full access to user calendars
    • Read user calendars
    • Sign in and read user profile
• Office Exchange 360 Online :
  • Application Permissions
    • Read and write calendars in all mailboxes
    • Read calendars in all mailboxes
  • Delegated Permissions
    • Read user and share calendars
    • Read and write user and shared calendars
    • Read all users' basic profiles
    • Read user profiles
    • Read user contacts
    • Read user calendars
• Windows Azure Active Directory
  • Application Permissions : none
  • Delegated Permissions
    • Sign in and read user profile

I'm not 100% on what the relationship between the permissions set within the azure management portal and specific end point access. I have read the API scope article but discussion in that article is a bit too conceptual for my needs.

Ultimately I am trying to access and write events to all reservable resources within a tenant id.

Answer 1

I was able to resolve the issue by deleting then regenerating the application through https://manage.windowsazure.com/ then updating the client id and secret. I was, after the fact, able to remove the native client (node) app from the application list and still make the call work.

And while I did not use the reference https://jwt.io/ provided by Fei Xue, I assume it will be invaluable for debugging azure to API permissions in the future.