[英]Missing Scopes Required when calling Microsoft Graph from ASP .Net Core Web Api
I have setup a web api to call from Microsoft Graph using a username/password credential passed to it via a vuejs client application.我已经设置了一个 web api 来使用通过 vuejs 客户端应用程序传递给它的用户名/密码凭据从 Microsoft Graph 调用。 As I tried to extend it out and add new permissions (namely Team.ReadBasic.All).当我尝试扩展它并添加新权限(即 Team.ReadBasic.All)时。 I get a:我得到一个:
Missing scope permissions on the request. API requires one of 'Team.ReadBasic.All, TeamSettings.Read.All, TeamSettings.ReadWrite.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All'. Scopes on the request 'AllSites.Read, openid, profile, Tasks.ReadWrite, User.Read, User.ReadBasic.All, email'
However I have updated my Azure Ad Application with the correct API Permissions (Delegated Team.ReadBasic.All) and I have added the scope like so但是,我已经使用正确的 API 权限(Delegated Team.ReadBasic.All)更新了我的 Azure 广告应用程序,并且像这样添加了 scope
appsettings.json应用程序设置.json
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain",
"TenantId": "mytenantId",
"ClientId": "myclientId",
"ClientSecret": "myclientsecret",
"Scopes": "User.Read,Tasks.ReadWrite,Team.ReadBasic.All",
"CallbackPath": "/signin-oidc"
},
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "User.Read,Tasks.ReadWrite,Team.ReadBasic.All"
With my startup using middleware to test the api.我的启动使用中间件来测试 api。
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
Configuration.Bind("AzureAd", options);
options.Authority = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/v2.0";
options.TokenValidationParameters.ValidAudiences = new string[] { Configuration["AzureAd:ClientId"], $"api://{Configuration["AzureAd:ClientId"]}" };
});
var userPassCodeCredentail = new UsernamePasswordCredential("", "", Configuration["AzureAd:TenantId"], Configuration["AzureAd:ClientId"]);
services.AddSingleton(_ => new GraphServiceClient(userPassCodeCredentail, Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(',')));
AddSwagger(services);
With Add Swagger Being随着添加 Swagger 被
services.AddOpenApiDocument(document =>
{
document.AddSecurity("bearer", Enumerable.Empty<string>(), new NSwag.OpenApiSecurityScheme
{
Type = OpenApiSecuritySchemeType.OAuth2,
Description = "Azure AAD Authentication",
Flow = OpenApiOAuth2Flow.Implicit,
Flows = new NSwag.OpenApiOAuthFlows()
{
Implicit = new OpenApiOAuthFlow()
{
Scopes = new Dictionary<string, string>
{
{ $"api://{Configuration["AzureAd:ClientId"]}/user_impersonation", "Access Application" },
{ $"api://{Configuration["AzureAd:ClientId"]}/Team.ReadBasic.All", "Access Team" },
},
AuthorizationUrl = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/authorize",
TokenUrl = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/token",
},
},
});
document.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor("bearer"));
Attempting to authorize this way doesn't allow me to consent to the new permission to then use the api call.尝试以这种方式授权不允许我同意新的许可,然后使用 api 呼叫。 As the consent panel won't appear when I complete the Microsoft page login process.因为当我完成 Microsoft 页面登录过程时,同意面板不会出现。
Edited: I have added the api permissions to the Azure Ad and ensured that the redirect urls and user consent is set to "Allow consent for all apps"已编辑:我已将 api 权限添加到 Azure 广告,并确保重定向网址和用户同意设置为“允许所有应用同意”
Try changing the user consent settings尝试更改用户同意设置
Can you follow the tutorial here and ensure you have successfully completed all the steps?您能否遵循此处的教程并确保您已成功完成所有步骤?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.