我必须代表用户注册azure应用程序。我使用Azure Graph API执行以下操作:
之后我成功获取了创建的upp的access_token。但遗憾的是,当我尝试使用该令牌访问O365资源时,返回了401 Unauthorized。没有任何json'ed错误!!
HTTP / 1.1 401未经授权
缓存控制:无缓存
Pragma:no-cache
内容长度:0
到期:-1
服务器:Microsoft-IIS / 8.5
服务器:Microsoft-IIS / 8.5
WWW-Authenticate:Bearer
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
X-Powered-By:ASP.NET
日期:2015年12月10日星期四,格林威治标准时间11:58:59......就是这样!
接下来我去了Azure门户 - 一切都好。经过几次实验后,我注意到在通过门户网站(甚至化妆品)进行任何更改后,access_token变为有效。
所以我使用JWT解码器比较了令牌,发现没有包含Scopes:
picture - token BEFORE changes in portal
picture - token AFTER changes in portal
此外,我注意到OAuth2PermissionGrant实体在更改后被覆盖。
我使用了以下网络资源和库:
下面我附加了以编程方式创建app的代码。我也可以附上提琴日志和其他信息。
ActiveDirectoryClient activeDirectoryClient;
string clientSecret = "...hidden...";
string name = "O365 auto created client";
try
{
activeDirectoryClient = AuthenticationHelper.GetActiveDirectoryClientAsUser();
var appObject = new Application
{
DisplayName = "O365 auto created client",
Homepage = "https://sign",
LogoutUrl = "http://logout1.net"
};
appObject.IdentifierUris.Add("https://localhost/demo/" + Guid.NewGuid());
appObject.ReplyUrls.Add("https://localhost/demo");
var officeAccess = new RequiredResourceAccess
{
ResourceAppId = "c5393580-f805-4401-95e8-94b7a6ef2fc2", // OfficeManagePlatform
ResourceAccess = new List<ResourceAccess>
{
new ResourceAccess
{
Id = new Guid("825c9d21-ba03-4e97-8007-83f020ff8c0f"),
Type = "Role,Scope"
},
new ResourceAccess
{
Id = new Guid("e2cea78f-e743-4d8f-a16a-75b629a038ae"),
Type = "Role,Scope"
},
new ResourceAccess
{
Id = new Guid("594c1fb6-4f81-4475-ae41-0c394909246c"),
Type = "Role,Scope"
}
}
};
appObject.RequiredResourceAccess.Add(officeAccess);
var passCreds = new PasswordCredential
{
StartDate = DateTime.UtcNow,
EndDate = DateTime.UtcNow.AddYears(1),
Value = clientSecret,
KeyId = null,
CustomKeyIdentifier = null
};
appObject.PasswordCredentials.Add(passCreds);
try
{
await activeDirectoryClient.Applications.AddApplicationAsync(appObject);
}
catch (Exception e)
{
Console.WriteLine("Application Creation exception: {0} {1}", e.Message,
e.InnerException != null ? e.InnerException.Message : "");
}
ServicePrincipal newServicePrincpal = new ServicePrincipal();
if (appObject!= null && appObject.AppId != null)
{
newServicePrincpal.DisplayName = appObject.DisplayName;
newServicePrincpal.AccountEnabled = true;
newServicePrincpal.AppId = appObject.AppId;
newServicePrincpal.Tags.Add("WindowsAzureActiveDirectoryIntegratedApp");
try
{
activeDirectoryClient.ServicePrincipals.AddServicePrincipalAsync(newServicePrincpal).Wait();
Console.WriteLine("New Service Principal created: " + newServicePrincpal.ObjectId);
}
catch (Exception e)
{
Console.WriteLine("Service Principal Creation execption: {0} {1}", e.Message,
e.InnerException != null ? e.InnerException.Message : "");
}
}
OAuth2PermissionGrant permissionObject = new OAuth2PermissionGrant();
permissionObject.ConsentType = "AllPrincipals";
permissionObject.Scope = "ServiceHealth.Read";
permissionObject.StartTime = DateTime.MinValue;
permissionObject.ExpiryTime = (DateTime.Now).AddMonths(12);
// resourceId is objectId of the resource manage.office.com // in this case objectId of AzureAd (Graph API)
permissionObject.ResourceId = "52f62a75-b73d-496a-9bfa-1bf41339a90a"; // "52620afb-80de-4096-a826-95f4ad481686";
//ClientId = objectId of servicePrincipal
permissionObject.ClientId = newServicePrincpal.ObjectId;
try
{
activeDirectoryClient.Oauth2PermissionGrants.AddOAuth2PermissionGrantAsync(permissionObject).Wait();
Console.WriteLine("New Permission object created: " + permissionObject.ObjectId);
}
catch (Exception e)
{
Console.WriteLine("Permission Creation exception: {0} {1}", e.Message, e.InnerException != null ? e.InnerException.Message : "");
}
return new ClientCredential(clientId: appObject.AppId, clientSecret: clientSecret);
}
catch (Exception ex)
{
return null;
}