Microsoft OAuth 2.0 客户端凭据 - 即使在 Azure 上授予管理员同意,也无法检索范围权限
[英]Microsoft OAuth 2.0 Client Credentials - Unable to retrieve permission to scope even with Granted Admin Consent on Azure
问题描述
I am working on daemon service that retrieves the list of contacts from Microsoft Graph, that does not prompt Microsoft Authentication to the user.
我正在处理从 Microsoft Graph 检索联系人列表的守护程序服务,该服务不会向用户提示 Microsoft 身份验证。 However, I'm not able to retrieve the permissions I set in Microsoft Azure even with granted admin consent.但是,即使获得管理员同意,我也无法检索我在 Microsoft Azure 中设置的权限。
I use Postman to generate a token with the following information.我使用 Postman 生成具有以下信息的令牌。
https://login.microsoftonline.com/0835055b-8a00-4130-b07a-037430dd000d/oauth2/v2.0/token
The following json is the result I get以下json是我得到的结果
{
"token_type": "Bearer",
"scope": "profile openid email https://graph.microsoft.com/User.Read https://graph.microsoft.com/.default",
"expires_in": 3600,
"ext_expires_in": 3600,
"access_token": "{MY_TOKEN_HERE}"
}
Token is generated successfully but the token returned does not include the permission with granted admin consent I set in MS Azure at portal.azure.com > Registered App > API Permission.令牌已成功生成,但返回的令牌不包括我在 MS Azure 中设置的具有授予管理员同意的权限,网址为 portal.azure.com > 注册应用程序 > API 权限。
I have Microsoft Graph - Users.Read and Contacts Read with green ticks on admin consent required.我有 Microsoft Graph - Users.Read 和 Contacts Read,需要管理员同意,并带有绿色勾号。 See image below:见下图:
Microsoft Azure - API Permission Microsoft Azure - API 权限
And without the scope, I'm not able to retrieve the list of contacts with given token.没有范围,我无法检索具有给定令牌的联系人列表。
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "63a24a22-34f7-42a1-a9d5-d7aaf598f4d6",
"date": "2019-07-01T02:59:15"
}
}
}
Is there anything I missed?有什么我错过的吗? I assumed when the admin has granted consents, I should be able to include the API in scopes to generate tokens.我假设当管理员同意时,我应该能够将 API 包含在范围中以生成令牌。
I saw there is a similar issue here but there is no solutions that work for me: Microsoft graph API: Unable to fetch users with the generated access token我看到这里有一个类似的问题,但没有适合我的解决方案: Microsoft graph API: Unable to fetch users with the generated access token
1 个解决方案
解决方案1
1 2019-07-03 07:37:19
Based on your screenshot, the contacts.read you granted is an application permission.根据您的屏幕截图,您授予的contacts.read 是应用程序权限。 And, you have only one delegated permission: user.read .而且,您只有一个委派权限: user.read 。
However, if you want to call the graph api : graph.microsoft.com/v1.0/me/contacts , you need to use delegated permission.但是,如果要调用图形 api : graph.microsoft.com/v1.0/me/contacts ,则需要使用委派权限。 It will represent the user.它将代表用户。 So you can get the information for "me".所以你可以得到“我”的信息。 And based on the official documentation , you need to grant the Contacts.Read (Contacts.ReadWrite for writing) delegated permission.并且根据官方文档,需要授予Contacts.Read(用于写入的Contacts.ReadWrite)委托权限。
If you want to use application permission, then you need to get access token with client credentials flow .如果要使用应用程序权限,则需要使用客户端凭据流获取访问令牌。 Token got in this way can be used for application permission.通过这种方式得到的token可以用于申请权限。 And you should call the api as following : graph.microsoft.com/v1.0/users/{id |您应该按如下方式调用 api:graph.microsoft.com/v1.0/users/{id | userPrincipalName}/contacts用户主体名称}/联系人
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.