简体繁体 English

无法使用 OAuth 访问令牌访问 Microsoft Graph Api

[英]Not able to access Microsoft Graph Api using OAuth Access token

原文 2022-01-03 13:58:41 8 1 oauth/ azure-active-directory/ microsoft-graph-api/ access-token/ onedrive

I am trying to access Microsoft Graph Api for my OneDrive Business account.我正在尝试为我的 OneDrive Business 帐户访问 Microsoft Graph Api。 I have created an app in Azure Directory.我在 Azure 目录中创建了一个应用程序。 I am able to authenticate, I am getting an access token but when trying to use that access token and use this api https://graph.microsoft.com/v1.0/me .我能够进行身份验证，我正在获取访问令牌，但是当尝试使用该访问令牌并使用此 api https://graph.microsoft.com/v1.0/me 时。 I am getting this error: "Access token validation failure. Invalid audience."我收到此错误：“访问令牌验证失败。无效的受众。” I dont know if I am missing any permission to access Graph APi?我不知道我是否缺少访问 Graph APi 的任何权限？

1 个解决方案

According to Resolve Microsoft Graph authorization errors - Microsoft Graph |根据解决 Microsoft Graph 授权错误 - Microsoft Graph | Microsoft Docs 微软文档

API services like Microsoft Graph check that the aud claim (audience) in the received access token matches the value it expects for itself, and if not, it results in a 403 Forbidden error. API 服务（如 Microsoft Graph）检查接收到的访问令牌中的 aud 声明（受众）是否与它自己期望的值匹配，如果不匹配，则会导致 403 Forbidden 错误。 A common mistake that causes in this error is trying to use a token acquired for Azure AD Graph APIs, Outlook APIs, or SharePoint/OneDrive APIs to call Microsoft Graph (or vice versa).导致此错误的一个常见错误是尝试使用为 Azure AD Graph API、Outlook API 或 SharePoint/OneDrive API 获取的令牌来调用 Microsoft Graph（反之亦然）。 Ensure that the resource (or scope) your app is acquiring a token for matches the API that the app is calling.确保您的应用获取令牌的resource (or scope) app is acquiring a token for matches the API that the app is calling.

As your error message says, your token audience is invalid,you must have set wrong scope when requesting the token.Please check the aud claim as commented in https://jwt.ms .正如您的错误消息所述，您的令牌受众无效，您在请求令牌时必须设置错误的 scope。请检查https://jwt.ms中评论的 aud 声明。 Try to set the scope to https://graph.microsoft.com/.default in authentication request and give delegated and application permissions under Microsoft apis> Microsoft graph and grant admin consent to the api.尝试在身份验证请求中将 scope 设置为https://graph.microsoft.com/.default并在 Microsoft apis> Microsoft graph 下授予delegated和application permissions ，并grant admin consent 。 etc. The api call only supports delegated permissions, so you can't use the client credential flow to get the token.等。 api 调用仅支持委托权限，因此您不能使用客户端凭据流获取令牌。 For the /me endpoint, the user needs to log in, so you need Use auth code flow to obtain an access token.对于 /me 端点，用户需要登录，因此您需要使用 auth 代码流来获取访问令牌。 Calling /me end point requires delegated permissions.调用 /me 端点需要委派权限。

And calling one drive api from that also requires another additional permissions for different activity.并且从中调用一个驱动器 api 还需要针对不同活动的其他额外权限。

You can make use of Graph Explorer to see the permissions required and according grant admin consent for the same through explorer itself or through portal.您可以使用Graph Explorer查看所需的权限，并通过资源管理器本身或通过门户授予管理员同意。

If still error remains, please change the accesstokenacceptedversion to 2 if it is null or 1 or vice versa.如果仍然错误，请将accesstokenacceptedversion更改为 2，如果它是 null 或 1，反之亦然。 And try again.然后再试一次。