我们正在尝试使用Office 365 Unified API对graph.microsoft.com发出请求。
身份验证成功,但访问令牌缺少UPN和PUID,这意味着针对https://graph.microsoft.com/beta/me的请求失败。
验证码:
$code = $_GET['code'];
//build the request body
$tokenRequestBody = "grant_type=authorization_code&" .
"redirect_uri=" . '<redirectURI>' . "&" .
"client_id=" . '<cliendId>' . "&" .
"client_secret=" . urlencode('<clientsecret>') . "&" .
"resource=" . 'https://graph.microsoft.com' . "&" .
"code=" . $code;
$request = curl_init("https://login.microsoftonline.com/0e06e1f9-24b3-4026-8bd0-2a6c28937df1/oauth2/token");
curl_setopt($request, CURLOPT_POST, 1);
curl_setopt($request, CURLOPT_POSTFIELDS, $tokenRequestBody);
curl_setopt($request, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
$tokenOutput = curl_exec($request);
$token = json_decode($tokenOutput);
图形请求代码:
$path = "https://graph.microsoft.com/beta/me";
//perform a REST query for the user
$request = curl_init($path);
curl_setopt($request, CURLOPT_HTTPHEADER, array(
"Authorization: Bearer ".$token->access_token
,
"Accept: application/json"));
curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($request);
解码访问令牌:
{
typ: "JWT",
alg: "RS256",
x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
aud: "https://graph.microsoft.com",
iss: "https://sts.windows.net/0e06e1f9-24b3-4026-8bd0-2a6c28937df1/",
iat: 1447345801,
nbf: 1447345801,
exp: 1447349701,
acr: "1",
altsecid: "1:live.com:0003BFFD977FF496",
amr: [
"pwd"
],
appid: "<appid>",
appidacr: "1",
email: "<emailaddress>",
family_name: "<familyname>",
given_name: "<givenname>",
idp: "live.com",
ipaddr: "<ipaddress>",
scp: "Calendars.Read Calendars.ReadWrite Contacts.Read Contacts.ReadWrite Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Files.Read Files.Read.Selected Files.ReadWrite Files.ReadWrite.Selected Group.Read.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read People.ReadWrite Sites.Read.All Sites.ReadWrite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All",
sub: "5je0Jdv8442iS3rLXa-3a7KWSiKCyBrq9Q0c0d4sbBY",
tid: "0e06e1f9-24b3-4026-8bd0-2a6c28937df1",
unique_name: "<uniquename>",
ver: "1.0"
}.
[signature]
图形请求响应:
{
"error": {
"code": "BadRequest",
"message": "Missing UPN and PUID claims.",
"innerError": {
"request-id": "158c62f6-fece-4f64-bbb5-a1e691334daa",
"date": "2015-11-12T14:09:40"
}
}
}
愿意为此提供一些帮助!提前谢谢。
答案 0 :(得分:1)
以下是您可以检查以进行故障排除的几点:
1,在“AD应用程序”面板中,单击“用户”选项卡以检查用户是否在Azure AD中。
2,请检查从承诺AD或Office 365到Azure AD是否成功同步用户的过程。您可以使用Office 365帐户登录Azure门户,它将首次登录Azure门户时自动添加到Azure AD中。此外,如果您遇到问题或UPN存在冲突,您可能会遇到此错误。
您可以在Powershell中尝试以下脚本,添加您的Application Service Principal并为您的应用程序设置Role:
#-----------------------------------------------------------
# This will add your Application Service Prinicpal to
# the Company Administrator role
#-----------------------------------------------------------
$msolcred=get-credential
connect-msolservice -credential $msolcred
$ClientIdWebApp = 'Your application client id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
有关如何使用Azure AD Powershell的详细信息,请参阅Manage Azure AD service principals。
此外,您可以参考Deep Dive into the Office 365 Unified API来集成Office 365,并检查第一部分中提到的先决条件。
答案 1 :(得分:0)
看起来您正尝试使用Application Identity进行访问。 应用程序没有Me端点。 此外,您还需要向应用程序添加应用程序权限。
答案 2 :(得分:0)
虽然Microsoft Graph的预览支持使用Microsoft ID进行身份验证,但截至2016年1月,它目前不支持使用altsecid声明通过AAD进行Microsoft身份验证。我们正在努力解决这个问题。