[英]InvalidAuthenticationToken error using msal and graph api from sharepoint
I am using the example msal-react to authenticate and consume sharepoint services using their graph api, create an application on AAD with delegated permissions.我正在使用示例msal-react来验证和使用 sharepoint 服务,使用他们的图 api,在 AAD 上创建一个具有委派权限的应用程序。
I am assigning the scopes "https://mytenant.sharepoint.com/.default" and I get the following error code: "InvalidAuthenticationToken" message: "Access token validation failure. Invalid audience."我正在分配范围“https://mytenant.sharepoint.com/.default” ,我收到以下错误代码:“InvalidAuthenticationToken”消息:“访问令牌验证失败。受众无效。” check the token I get on the JWT.io page检查我在 JWT.io 页面上获得的令牌 . . Thank you very much for your support非常感谢您的支持
You are using the graph API to perform CRUD operations for SharePoint sites, so you should get an access token for the graph API instead of the SharePoint REST API.您正在使用图表 API 对 SharePoint 站点执行 CRUD 操作,因此您应该获得图表 API 的访问令牌,而不是 SharePoint REST API。
So please change your scope
to: https://graph.microsoft.com/.default
.因此,请将您的scope
更改为: https://graph.microsoft.com/.default
。
I tried to reproduce the same in my environment via Postman and got below results:我尝试通过 Postman 在我的环境中重现相同内容,并得到以下结果:
I registered one SPA application and added SharePoint API permissions like below:我注册了一个 SPA 应用程序并添加了 SharePoint API 权限,如下所示:
I generated access token via Postman with below parameters:我使用以下参数通过 Postman 生成了访问令牌:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:authorization_code
scope: https://mytenant.sharepoint.com/.default
code:code
redirect_uri: https://jwt.ms
code_verifier:S256
Response:回复:
When I decoded the token, it has SharePoint
as audience and scp
claim as below:当我解码令牌时,它有SharePoint
作为观众和scp
声明如下:
I got the same error as you when I used above token to call SharePoint from below graph API call:当我使用上面的令牌从下面的图 API 调用 SharePoint 调用时,我遇到了与您相同的错误:
GET https://graph.microsoft.com/v1.0/sites/<siteID>/lists
Response:回复:
To resolve the error, assign Microsoft Graph API permissions for SharePoint like below:要解决该错误,请为 SharePoint 分配Microsoft Graph API权限,如下所示:
Now, generate the access token again by changing the scope to https://graph.microsoft.com/.default
as suggested by @Carl Zhao like below:现在,按照@Carl Zhao的建议,通过将 scope 更改为https://graph.microsoft.com/.default
再次生成访问令牌,如下所示:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:authorization_code
scope: https://graph.microsoft.com/.default
code:code
redirect_uri: https://jwt.ms
code_verifier:S256
Response:回复:
When I decoded the above token, I got Microsoft Graph as audience and scp
claims are as below:当我解码上面的令牌时,我得到了Microsoft Graph作为观众和scp
声明如下:
When I used above token to call SharePoint site lists from below graph API call, I got the results successfully like below:当我使用上面的令牌从下图中的 API 调用调用SharePoint 站点列表时,我成功地得到了如下结果:
GET https://graph.microsoft.com/v1.0/sites/<siteID>/lists
Response:回复:
Note that, your token audience should be https://graph.microsoft.com while making graph calls and scp
claim should contain Microsoft graph permissions.请注意,您的令牌受众应为https://graph.microsoft.com ,同时进行图形调用和scp
声明应包含Microsoft 图形权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.