以下GET请求有效,这表明我的AccessToken有效且我的应用程序具有使用Microsoft Graph API访问用户信息的正确权限:
GET https://graph.microsoft.com/v1.0/users/
Authorization: Bearer <my_access_token>
但是,以下GET请求不起作用并返回错误消息:
GET https://graph.microsoft.com/v1.0/me/
Authorization: Bearer <my_access_token>
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '<my_resource_id>' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "<my_request_id>",
"date": "2018-01-26T06:24:27"
}
}
}
我确定资源(在我的Azure Active Directory B2C实例中创建的“企业应用程序”对象)确实存在,因为我可以在portal.azure.com中找到它,因为第一个GET请求使用相同的资源并成功返回。
我的问题是:为什么我无法访问“我”,但我可以访问用户列表?
上面的两个GET请求都是在我成功验证到我的ASP.NET版本4.71 MVC之后运行的。这可能是我在cookie中保存经过身份验证的用户信息的方式的问题吗?以下是此代码:
public partial class Startup
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
public static readonly string Authority = aadInstance + tenantId;
// This is the resource ID of the AAD Graph API. We'll need this to request a token to call the Graph API.
string graphResourceId = "https://graph.windows.net";
public void ConfigureAuth(IAppBuilder app)
{
ApplicationDbContext db = new ApplicationDbContext();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = Authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
AuthorizationCodeReceived = (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
string token = result.AccessToken;
return Task.FromResult(0);
}
}
});
}
}
我做错了什么?谢谢!
答案 0 :(得分:3)
您的资源URI错误。
// This is the resource ID of the AAD Graph API. We'll need this to request a token to call the Graph API.
string graphResourceId = "https://graph.windows.net";
应该是:
string graphResourceId = "https://graph.microsoft.com";
正如评论所说,那是针对AAD Graph API,而不是Microsoft Graph API。
确保您还在应用注册中授予Microsoft Graph API权限。