是否可以使用通过Azure Active Directory 1.0 endpoints 通过客户端凭据OAuth 2流获取的访问令牌来访问Microsoft Graph API?
例如:
POST https://login.microsoftonline.com/{mytenant}.onmicrosoft.com/oauth2/token
grant_type=client_credentials,
client_id={app id registered in azure portal},
client_secret={registered app key},
resource=https://graph.microsoft.com
当我使用从此请求返回的令牌时,尝试调用https://graph.microsoft.com/v1.0/groups时出现以下错误 .
解码JWT
头
{
"typ": "JWT",
"alg": "RS256",
"x5t": "HHByKU-0DqAqMZh6ZFPd2VWaOtg",
"kid": "HHByKU-0DqAqMZh6ZFPd2VWaOtg"
}
有效载荷
{
"aud": "00000002-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/{tenant id}/",
"iat": 1504804880,
"nbf": 1504804880,
"exp": 1504808780,
"aio": "Y2FgYDiiO8/s3smXRdxLg87zBPRNAwA=",
"appid": "{client id}",
"appidacr": "1",
"idp": "https://sts.windows.net/{tenant id}/",
"oid": "{enterprise app object id}",
"sub": "{enterprise app object id}",
"tenant_region_scope": "NA",
"tid": "{tenant id}",
"uti": "uIzrJNpHcEGXoQ4ZKZgqAA",
"ver": "1.0"
}
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "3537d28e-a061-4430-aef5-4a75bf791d90",
"date": "2017-09-07T16:38:26"
}
}
}
我确保应用程序具有通过门户网站分配的正确权限 . 在“所需权限”>“应用程序权限”下,选中“读取和写入所有组” .
有什么我想念的或者这不可能吗?
1 回答
在您的JWT令牌中,受众值(
aud
)是错误的 .如果您尝试调用
https://graph.microsoft.com
或其任何API,则需要具有aud
https://graph.microsoft.com
或00000003-0000-0000-c000-000000000000
声明的令牌 .您拥有的令牌适用于AAD Graph API,
https://graph.windows.net
a.k.a.00000002-0000-0000-c000-000000000000
虽然这两种资源在URL和GUID形式中看起来都相似,但它们是完全独立的身份 . 您应该在整个代码中确认在检索访问令牌时指定了正确的资源值 . 上面的小样本意味着你做得对,但令牌表明你不是 .