sta*_*tto 5 azure-active-directory microsoft-graph
我正在尝试对Microsft Graph进行基本调用。
https://graph.microsoft.com/v1.0/me/
我已经通过C#SDK并直接使用rest和两个调用来完成此操作,但出现以下错误
消息=“资源'f9d58168-4b3e-4948-9133-6c978d1ab18a'不存在,或者其查询的参考属性对象之一不存在。”
错误响应内容流中返回的完整错误消息
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'f9d58168-4b3e-4948-9133-6c978d1ab18a' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "80af6aec-5052-49ab-890c-273fea5c65ba",
"date": "2017-07-31T06:08:37"
}
}
}
GUID可以不同。
当我通过“图形资源管理器”执行此操作时,它工作正常。
这是我用来获取应用程序凭据的代码
private ClientCredential GetCredentials()
{
return new ClientCredential(_azureAdOptions.ClientId, _azureAdOptions.ClientSecret);
}
private AuthenticationContext GetContext(string userObjectId)
{
return new AuthenticationContext($"{_azureAdOptions.AadInstance}{_azureAdOptions.Tenant}", GetTokenCache(userObjectId));
}
private DistributedTokenCache GetTokenCache(string userObjectId)
{
return new DistributedTokenCache(userObjectId, _azureAdOptions.ClientId, _distributedCache, _loggerFactory);
}
public async Task<AuthenticationResult> GetToken(string userObjectId, string resourceId)
{
AuthenticationResult result;
var authContext = GetContext(userObjectId);
var credential = GetCredentials();
try
{
result = await authContext.AcquireTokenSilentAsync(resourceId, credential, new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
}
catch (AdalSilentTokenAcquisitionException astae)
{
result = await authContext.AcquireTokenAsync(resourceId, credential);
}
return result;
}
我已经调试了代码,它正在验证和获取令牌确定。
已将请求URL从我的应用程序复制并粘贴到Graph Explorer中,并且可以正常工作。
通过Azure拥有安装权限,并且与Graph Explorer的安装权限相同。
这是我在StartUp中用于设置OpenId的配置
var openIdConnectOptions = new OpenIdConnectOptions
{
ClientId = azureAdOptions.ClientId,
Scope =
{
"openid",
"email",
"profile",
"offline_access",
"User.Read",
"user_impersonation"
},
Authority = $"{azureAdOptions.AadInstance}{azureAdOptions.Tenant}",
SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,
AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme,
PostLogoutRedirectUri = azureAdOptions.PostLogoutRedirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
UseTokenLifetime = true,
GetClaimsFromUserInfoEndpoint = false,
Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = OnRedirectToIdentityProvider,
OnRemoteFailure = OnAuthenticationFailed,
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
OnUserInformationReceived = OnUserInformationReceived
}
};
我在另一个调用Microsoft Graph的应用程序中使用该代码,对此没有任何问题。
更新
我能够从声明主体(http://schemas.microsoft.com/identity/claims/objectidentifier)中获得用户ID,然后使用该ID来调用“ https://graph.microsoft.com/v1.0 / users('')出现相同的错误。错误消息中的GUID是声明主体中用户的GUID。
那么,为什么未正确设置Claims主体中的用户ID?
进一步更新
看来在Claims主体中设置的对象标识符与Azure Active目录中的对象标识符不同。
将对象标识符硬编码到用户端点中是可行的。
进一步更新
这似乎与返回的访问令牌有关。解密令牌后,我可以看到对象ID是已注册应用程序的ID,这就是在Office Graph中调用“ Me”时所使用的ID。返回的令牌的OID不应该是用户的。该应用程序在Active Directory中具有User.Read。
AcquireTokenSilentAsync返回错误
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException:
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenSilentHandler.SendTokenRequestAsync (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\Flows\AcquireTokenSilentHandler.cs: 61)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase+<RunAsync>d__55.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\Flows\AcquireTokenHandlerBase.cs: 198)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenSilentCommonAsync>d__55.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\AuthenticationContext.cs: 618)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenSilentAsync>d__41.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\AuthenticationContext.cs: 415)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at InSite.Security.AuthenticationService+<GetToken>d__5.MoveNext (InSite.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: C:\Users\TobyStatham\Documents\Visual Studio 2017\Projects\InSite\InSite.Security\AuthenticationService.cs: 47)
在 Graph 中, /me/ 端点是当前登录用户的别名(基于令牌)。要检查这一点,您可以解码 JWT 并查看是否有与令牌关联的任何用户信息。没有用户的应用程序将无法查询 /me/,而应指定感兴趣的用户的用户 ID (/users/user id)。
| 归档时间: |
|
| 查看次数: |
3102 次 |
| 最近记录: |