使用graph.microsoft.com获取错误请求响应,缺少UPN和PUID声明

时间:2015-11-12 16:38:35

标签: php azure office365 azure-active-directory

我们正在尝试使用Office 365 Unified API对graph.microsoft.com发出请求。

身份验证成功,但访问令牌缺少UPN和PUID,这意味着针对https://graph.microsoft.com/beta/me的请求失败。

验证码:

$code = $_GET['code'];
//build the request body
$tokenRequestBody = "grant_type=authorization_code&" .
    "redirect_uri=" . '<redirectURI>' . "&" .
    "client_id=" . '<cliendId>' . "&" .
    "client_secret=" . urlencode('<clientsecret>') . "&" .
    "resource=" . 'https://graph.microsoft.com' . "&" .
    "code=" . $code;


$request = curl_init("https://login.microsoftonline.com/0e06e1f9-24b3-4026-8bd0-2a6c28937df1/oauth2/token");
curl_setopt($request, CURLOPT_POST, 1);
curl_setopt($request, CURLOPT_POSTFIELDS, $tokenRequestBody);
curl_setopt($request, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

curl_setopt($request, CURLOPT_RETURNTRANSFER, true);

$tokenOutput = curl_exec($request);
$token = json_decode($tokenOutput);

图形请求代码:

    $path = "https://graph.microsoft.com/beta/me";

    //perform a REST query for the user
    $request = curl_init($path);
    curl_setopt($request, CURLOPT_HTTPHEADER, array(
        "Authorization: Bearer ".$token->access_token
    ,
        "Accept: application/json"));

    curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($request);

解码访问令牌:

{
 typ: "JWT",
 alg: "RS256",
 x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
 kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
 aud: "https://graph.microsoft.com",
 iss: "https://sts.windows.net/0e06e1f9-24b3-4026-8bd0-2a6c28937df1/",
 iat: 1447345801,
 nbf: 1447345801,
 exp: 1447349701,
 acr: "1",
 altsecid: "1:live.com:0003BFFD977FF496",
 amr: [
  "pwd"
 ],
 appid: "<appid>",
 appidacr: "1",
 email: "<emailaddress>",
 family_name: "<familyname>",
 given_name: "<givenname>",
 idp: "live.com",
 ipaddr: "<ipaddress>",
 scp: "Calendars.Read Calendars.ReadWrite Contacts.Read Contacts.ReadWrite Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Files.Read Files.Read.Selected Files.ReadWrite Files.ReadWrite.Selected Group.Read.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read People.ReadWrite Sites.Read.All Sites.ReadWrite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All",
 sub: "5je0Jdv8442iS3rLXa-3a7KWSiKCyBrq9Q0c0d4sbBY",
 tid: "0e06e1f9-24b3-4026-8bd0-2a6c28937df1",
 unique_name: "<uniquename>",
 ver: "1.0"
}.
[signature]

图形请求响应:

{
  "error": {
    "code": "BadRequest",
    "message": "Missing UPN and PUID claims.",
    "innerError": {
      "request-id": "158c62f6-fece-4f64-bbb5-a1e691334daa",
      "date": "2015-11-12T14:09:40"
    }
  }
}

愿意为此提供一些帮助!提前谢谢。

3 个答案:

答案 0 :(得分:1)

以下是您可以检查以进行故障排除的几点:

1,在“AD应用程序”面板中,单击“用户”选项卡以检查用户是否在Azure AD中。

2,请检查从承诺AD或Office 365到Azure AD是否成功同步用户的过程。您可以使用Office 365帐户登录Azure门户,它将首次登录Azure门户时自动添加到Azure AD中。此外,如果您遇到问题或UPN存在冲突,您可能会遇到此错误。

您可以在Powershell中尝试以下脚本,添加您的Application Service Principal并为您的应用程序设置Role:

#-----------------------------------------------------------
# This will add your Application Service Prinicpal to 
# the Company Administrator role
#-----------------------------------------------------------
$msolcred=get-credential
connect-msolservice -credential $msolcred

$ClientIdWebApp = 'Your application client id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp

#use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId 

有关如何使用Azure AD Powershell的详细信息,请参阅Manage Azure AD service principals

此外,您可以参考Deep Dive into the Office 365 Unified API来集成Office 365,并检查第一部分中提到的先决条件。

答案 1 :(得分:0)

看起来您正尝试使用Application Identity进行访问。 应用程序没有Me端点。 此外,您还需要向应用程序添加应用程序权限。

答案 2 :(得分:0)

虽然Microsoft Graph的预览支持使用Microsoft ID进行身份验证,但截至2016年1月,它目前不支持使用altsecid声明通过AAD进行Microsoft身份验证。我们正在努力解决这个问题。