具有客户端凭据流的应用程序拒绝访问
[英]Access denied for application with client credentials flow
问题描述
We have set up an application in AAD. 
我们已经在AAD中建立了一个应用程序。
The application has been granted access to read/write all messages/mails and "read users profiles" and a global admin have pushed the "Grant permissions" button in the portal. 已授予该应用程序读取/写入所有消息/邮件和“读取用户个人资料”的权限,并且全局管理员已按下门户中的“授予权限”按钮。 Still We get Access denied error when trying to access 尝试访问时,仍然出现“ Access denied错误
https://graph.microsoft.com/v1.0/users/{myId}/MailFolders/Inbox/ChildFolders
for my userid ( myId ). 为我的用户名( myId )。 The URL works fine in graph explorer when I'm logged in as my own user. 当我以自己的用户身份登录时,URL在图形浏览器中运行良好。
Also, decoding the JWT at jwt.io shows the application id, name and "aud" ( https://graph.microsoft.com ) - but no roles/scopes. 另外,在jwt.io解码JWT会显示应用程序ID,名称和“ aud”( https://graph.microsoft.com )-但没有角色/作用域。
What have we done wrong? 我们做错了什么?
2 个解决方案
解决方案1
0 2018-11-07 16:30:37
These are delegated permissions... so you will need a user with the same rights and use the credentials of the user in your authorization flow for your app. 这些是委派的权限...因此,您将需要一个具有相同权限的用户,并在您的应用授权流中使用该用户的凭据。
The effective rights are the intersection of the user rights and and the rigths of the app . 有效权限是用户权限与应用程序的严格性的交集 。
"Effective permissions are the permissions that your app will have when making requests to an API. “有效权限是您的应用向API发出请求时所拥有的权限。
- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (through consent) and the privileges of the currently signed-in user. 对于委派权限,应用程序的有效权限将是已被授予(通过同意)应用程序的委派权限与当前登录用户的特权之间的最小特权。 Your app can never have more privileges than the signed-in user." 您的应用程序所拥有的特权永远不会超过登录用户。”
The user also needs permission to use the app in AAD. 用户还需要获得在AAD中使用该应用程序的许可。
If it is not a delegated permission, maybe there is the need for some global admin to grant the consent for all users. 如果不是委派的权限,则可能需要某些全局管理员为所有用户授予同意。 "Topic Admins" can only "request" the permissions for the app and the global admin can consent for all users. “主题管理员”只能“请求”该应用程序的权限,而全局管理员可以同意所有用户。
解决方案2
0 2018-11-08 08:56:45
Ok so I submitted a ticket to Microsoft Support. 好的,所以我向Microsoft支持提交了一张票。 I haven't received any response yet, but now it all works just fine. 我尚未收到任何回复,但现在一切正常。 I have no idea why, but when I was submitting the ticket this morning a warning was shown that an outage in Azure AD was recently fixed so maybe that is why things didn't work yesterday. 我不知道为什么,但是当我今天早上提交票证时,显示警告,最近修复了Azure AD的故障,因此也许这就是昨天事情不起作用的原因。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.