使用委托权限调用 MS Graph 不起作用,而应用程序权限可以
[英]Calling MS Graph with delegated privileges doesn't work while application privileges do
问题描述
I try to get a user's custom attribute using a graph api call:
我尝试使用图形 api 调用获取用户的自定义属性:
I have setup an app registration with User.ReadWrite.All Delegated privileges as stated in the documentation and Granted admin privileges :我已经使用User.ReadWrite.All Delegated 权限设置了一个应用程序注册,如文档和授予的管理员权限中所述:
Using python, I can fetch a token using my app registration secret:使用 python,我可以使用我的应用程序注册密码获取令牌:
def retrieve_token(endpoint, client_id, client_secret):
# endpoint = "https://login.microsoftonline.com/<tenant-id>/oauth2/token"
payload = {
"grant_type":"client_credentials",
"client_id": client_id,
"client_secret": client_secret,
"resource":"https://graph.microsoft.com"
}
r = requests.request("POST", endpoint,data=payload).json()["access_token"]
return r # returns a valid jwt token
Using that token I then call a function to get my user's attributes:然后我使用该令牌调用 function 来获取用户的属性:
def get_user_role(endpoint,user_uid, token):
# endpoint = "https://graph.microsoft.com/v1.0/users/"
url = endpoint + user_uid
headers = {
"Authorization": "Bearer " + token,
"Content-Type": "application/json"
}
return requests.request("GET", url, headers=headers).json()
For some reason, it lacks of privileges:由于某种原因,它缺乏特权:
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'date': '2022-03-29T16:11:38', 'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'client-request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'}}}
If I go back to my api's permissions and change the User.ReadWrite.All from Delegated permissions to Application permissions it works.如果我 go 回到我的 api 的权限并将User.ReadWrite.All从委派权限更改为应用程序权限,它就可以工作。
From what I read in this scenario I should use Delegated permission but how to get that to work?根据我在这种情况下阅读的内容,我应该使用委托权限,但如何让它发挥作用?
1 个解决方案
解决方案1
3 已采纳 2022-03-30 10:22:32
If you are using the client credentials follow (Authenticating using Client ID and Client Secret) so you should require to Application permissions to get token and call a function to get my user's attributes.如果您使用的是client credentials follow (使用客户端 ID 和客户端密码进行身份验证),因此您应该需要Application permissions来获取令牌并调用 function 来获取我的用户属性。 So it won't Possible to calling an API with Client Crendetial Token using delegated permissions.因此,不可能使用委托权限调用带有客户端 Crendetial 令牌的 API。
As junnas stated in comment is correct You typically use delegated permissions when you want to call the Web API as the logged on user.
正如junnas在评论中所述是正确的当您想以登录用户身份调用 Web API 时,您通常会使用委派权限。Application Permissions: Your application needs to access the web API directly as itself (no user context).
应用程序权限:您的应用程序需要直接访问 web API(无用户上下文)。
So you should change the way to get the access token use eg authorization code flow or device code flow to get an access token as a signed in user因此,您应该更改获取访问令牌的方式,例如使用授权代码流或设备代码流以登录用户身份获取访问令牌
You can refer this Document can help Desktop app that calls web APIs: Acquire a token using Username and Password您可以参考此文档可以帮助调用 web API 的桌面应用程序:使用用户名和密码获取令牌
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.