堆栈内存溢出
  简体   繁体   English

从 ASP.Net Core 调用 Microsoft Graph 时缺少必需的范围 Web Api

[英]Missing Scopes Required when calling Microsoft Graph from ASP .Net Core Web Api

 原文  2022-03-11 04:06:55       .net-core/ azure-active-directory/ microsoft-graph-api/ openid-connect/ msal

问题描述

I have setup a web api to call from Microsoft Graph using a username/password credential passed to it via a vuejs client application.我已经设置了一个 web api 来使用通过 vuejs 客户端应用程序传递给它的用户名/密码凭据从 Microsoft Graph 调用。 As I tried to extend it out and add new permissions (namely Team.ReadBasic.All).当我尝试扩展它并添加新权限(即 Team.ReadBasic.All)时。 I get a:我得到一个:

Missing scope permissions on the request. API requires one of 'Team.ReadBasic.All, TeamSettings.Read.All, TeamSettings.ReadWrite.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All'. Scopes on the request 'AllSites.Read, openid, profile, Tasks.ReadWrite, User.Read, User.ReadBasic.All, email'

However I have updated my Azure Ad Application with the correct API Permissions (Delegated Team.ReadBasic.All) and I have added the scope like so但是,我已经使用正确的 API 权限(Delegated Team.ReadBasic.All)更新了我的 Azure 广告应用程序,并且像这样添加了 scope

appsettings.json应用程序设置.json

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "mydomain",
    "TenantId": "mytenantId",
    "ClientId": "myclientId",
    "ClientSecret": "myclientsecret",
    "Scopes": "User.Read,Tasks.ReadWrite,Team.ReadBasic.All",
    "CallbackPath": "/signin-oidc"
  },
  "DownstreamApi": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "User.Read,Tasks.ReadWrite,Team.ReadBasic.All"

With my startup using middleware to test the api.我的启动使用中间件来测试 api。

services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            }).AddJwtBearer(options =>
            {
                Configuration.Bind("AzureAd", options);
                options.Authority = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/v2.0";
                options.TokenValidationParameters.ValidAudiences = new string[] { Configuration["AzureAd:ClientId"], $"api://{Configuration["AzureAd:ClientId"]}" };
            });

var userPassCodeCredentail = new UsernamePasswordCredential("", "", Configuration["AzureAd:TenantId"], Configuration["AzureAd:ClientId"]);
services.AddSingleton(_ => new GraphServiceClient(userPassCodeCredentail, Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(',')));
AddSwagger(services);

With Add Swagger Being随着添加 Swagger 被

services.AddOpenApiDocument(document =>
            {
                document.AddSecurity("bearer", Enumerable.Empty<string>(), new NSwag.OpenApiSecurityScheme
                {
                    Type = OpenApiSecuritySchemeType.OAuth2,
                    Description = "Azure AAD Authentication",
                    Flow = OpenApiOAuth2Flow.Implicit,
                    Flows = new NSwag.OpenApiOAuthFlows()
                    {
                        Implicit = new OpenApiOAuthFlow()
                        {
                            Scopes = new Dictionary<string, string>
                            {
                                { $"api://{Configuration["AzureAd:ClientId"]}/user_impersonation", "Access Application" },
                                { $"api://{Configuration["AzureAd:ClientId"]}/Team.ReadBasic.All", "Access Team" },
                            },
                            AuthorizationUrl = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/authorize",
                            TokenUrl = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/token",
                        },  
                    },
                });
                document.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor("bearer"));

Attempting to authorize this way doesn't allow me to consent to the new permission to then use the api call.尝试以这种方式授权不允许我同意新的许可,然后使用 api 呼叫。 As the consent panel won't appear when I complete the Microsoft page login process.因为当我完成 Microsoft 页面登录过程时,同意面板不会出现。

Edited: I have added the api permissions to the Azure Ad and ensured that the redirect urls and user consent is set to "Allow consent for all apps"已编辑:我已将 api 权限添加到 Azure 广告,并确保重定向网址和用户同意设置为“允许所有应用同意” 在此处输入图像描述

2 个解决方案

解决方案1
 0  2022-03-14 07:57:42

Try changing the user consent settings尝试更改用户同意设置

  • Go to Azure Active Directory and then Enterprise applications from their consent and permissions now select User Consent settings Go 到Azure Active Directory ,然后是企业应用程序,现在来自他们的同意和权限select用户同意设置
  • Under User consent for applications choose the consent settings you want to provide to user在应用程序的用户同意下,选择您要提供给用户的同意设置在此处输入图像描述

解决方案2
 0  2022-03-14 11:28:36

Can you follow the tutorial here and ensure you have successfully completed all the steps?您能否遵循此处的教程并确保您已成功完成所有步骤?

Add Azure AD authentication 添加Azure AD认证

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure 从 API 调用 Microsoft Graph 时 AD B2C 重置密码选项 - Azure AD B2C reset password options when calling Microsoft Graph from an API 尝试通过调用 Microsoft Graph API - /applications 将 Azure 虚拟桌面 RBAC 中定义的委派权限范围添加到 AAD 应用程序注册 - Trying to add delegated permission scopes defined in Azure Virtual Desktop RBAC to AAD App registration by calling Microsoft Graph API - /applications 无法从逻辑应用执行 HTTP 后操作到 Asp.net 核心 Web API - Can't perform HTTP Post Action from Logic App to Asp.net Core Web API .Net Core Api:无效 session:Microsoft Graph API 工作簿 Session 已暂停 - .Net Core Api: Invalid session: Microsoft Graph API Workbook Session Paused 从 ASP.NET Core Web API Endpoint 上传大文件到 Amazon S3 - Upload a large file to Amazon S3 from ASP.NET Core Web API Endpoint Asp.net 核心 Web API 使用 Dapper 执行 Postgres function 引发“读取超时”和“读取流时异常” - Asp.net Core Web API use Dapper to Execute Postgres function raise "Timeout during reading" and "Exception while reading from stream" 如何读取Service Fabric Azure App Configuration ASP.NET Core Stateless Web API? - How to read the Azure App Configuration in Service Fabric ASP.NET Core Stateless Web API? 如何在没有用户登录的情况下检索 .NET Core Web API 的 MS Graph 访问令牌 - How to retrieve an MS Graph access token for a .NET Core Web API without user sign in asp.net 核心 web api (.net 6) 使用 startup.cs 而不是 program.cs 创建项目 - asp.net core web api (.net 6) created project with startup.cs instead of program.cs ASP.NET 核心 6 Web API 与 firebase 身份验证和反应前端承载身份验证失败 - ASP.NET Core 6 Web API with firebase auth and react front end bearer auth fails
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM