see*_*uit 13 azure-active-directory office-js microsoft-graph-api
我正在创建一个加载项,我将使用组织许可来销售该加载项。
我已经在加载项上实施了身份验证方案。我目前正在要求User.Read使用 Azure v2 端点进行可靠身份验证的范围。为了获取我正在查询的用户信息
https://graph.microsoft.com/v1.0/me
为了正确测试用户的许可证,我需要提取用户的组织标识。但是,我从 Grah 请求中收到的用户信息极其精简。对于 AAD 帐户,架构类似于:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
businessPhones: [],
displayName: "FirstName LastName",
givenName: "FirstName",
id: "unique-id",
jobTitle: null,
mail: "First.LastName@COMPANYDOMAIN.COM",
mobilePhone: null,
officeLocation: null,
preferredLanguage: null,
surname: "LastName",
userPrincipalName: "FILastName@COMPANYDOMAIN.COM"
}
如果我使用
https://graph.microsoft.com/BETA/me
我获得了更多信息,但没有任何信息可以帮助我确定用户组织的唯一 ID。
是否需要使用不同的范围来获取用户组织的信息?如果没有,我可以依靠解析用户电子邮件中的域名作为用户组织的唯一 ID 吗?我需要查询不同的 API 吗?
如果有帮助,在用户使用 AD 进行身份验证后,我会收到以下响应:
{
access_token: "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEWDhHQ2k2SnM2U0s4MlRzRDJQYjdyN1VLTzdJSDJSLWpTcmpScU9..."
expires_at: Fri May 18 2018 07: 18: 42 GMT - 0400(Eastern Daylight Time) {}
expires_in: "3599"
provider: "Microsoft"
scope: "https://graph.microsoft.com/User.Read"
session_state: "012f4565-31bb-..."
state: "259309..."
token_type: "Bearer"
}
https://graph.microsoft.com/BETA/me{
@odata.context: "https://graph.microsoft.com/beta/$metadata#users/$entity",
accountEnabled: true,
ageGroup: null,
assignedLicenses: [],
assignedPlans: [],
businessPhones: [],
city: null,
companyName: null,
consentProvidedForMinor: null,
country: null,
deletedDateTime: null,
department: null,
deviceKeys: [],
displayName: "FirstName LastName",
employeeId: null,
givenName: "FirstName",
id: "ebdcf715-43c5-4f48-ad0d-b798a3330849",
imAddresses: [],
jobTitle: null,
legalAgeGroupClassification: null,
mail: "FirstName.LastName@COMPANYDOMAIN.COM",
mailNickname: "FirstName.LastName",
mobilePhone: null,
officeLocation: null,
onPremisesDomainName: "COMPANYDOMAIN.COM",
onPremisesExtensionAttributes: {
…
},
onPremisesImmutableId: "...RVWAty...",
onPremisesLastSyncDateTime: "2018-05-10T18:13:45Z",
onPremisesProvisioningErrors: [],
onPremisesSamAccountName: "FILastName",
onPremisesSecurityIdentifier: "...-21-1412366426-...",
onPremisesSyncEnabled: true,
onPremisesUserPrincipalName: "FILastName@COMPANYDOMAIN.COM",
passwordPolicies: "DisablePasswordExpiration",
passwordProfile: null,
postalCode: null,
preferredDataLocation: null,
preferredLanguage: null,
provisionedPlans: [],
proxyAddresses: [],
refreshTokensValidFromDateTime: "2018-05-10T17:54:45Z",
showInAddressList: null,
state: null,
streetAddress: null,
surname: "LastName",
usageLocation: "US",
userPrincipalName: "FILastName@COMPANYDOMAIN.COM",
userType: "Member"
}
access_token使用 jwt.ms解码{
"typ": "",
"nonce": "",
"alg": "",
"x5t": "",
"kid": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk"
}.{
"aud": "",
"iss": "",
"iat": "",
"nbf": "",
"exp": "",
"acr": "",
"aio": "",
"amr": [
"pwd"
],
"app_displayname": "",
"appid": "",
"appidacr": "",
"family_name": "",
"given_name": "",
"ipaddr": "",
"name": "",
"oid": "",
"onprem_sid": "",
"platf": "",
"puid": "",
"scp": "",
"sub": "",
"tid": "",
"unique_name": "",
"upn": "",
"uti": "",
"ver": "1.0"
}.[Signature]
Alo*_*atz 10
这似乎有效
GET https://graph.microsoft.com/v1.0/organization
id 属性是租户 ID
小智 9
现在这可能不是直接使用图形 API ,而是使获取组织的租户 ID 变得非常简单。只需对“ https://login.microsoftonline.com/ {yourdomainname}/.well-known/openid-configuration”执行 GET 操作。返回的结构将具有租户 ID。例如,在您的浏览器中试试这个 url:https://login.microsoftonline.com/microsoft.com/.well-known/openid-configuration。
如果没有其他方法,您可以解码访问令牌并获得tid声明。这是 Azure AD 租户的 ID。
您可以从这里找到令牌声明的文档:https : //docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims
例如,这是它所说的tid:
一个不可变的、不可重用的标识符,用于标识发出令牌的目录租户。您可以使用此值在多租户应用程序中访问特定于租户的目录资源。例如,您可以使用此值来标识对图形 API 的调用中的租户。
| 归档时间: |
|
| 查看次数: |
9221 次 |
| 最近记录: |