在资源“https://graph.microsoft.com/”的Office 365 OAuth授权请求中包含“prompt = consent”会生成错误

时间:2016-01-18 13:27:03

标签: ms-office office365 azure-active-directory

我正在将现有的Office365 API用法移至Unified API(https://graph.microsoft.com/v1.0)。

由于Adding an additional Windows Azure AD delegated permission to an existing grant中说明的原因,我需要在我的授权请求Url中加入prompt=consent,直到现在我的授权网址看起来像:

https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3a%2f%2fgraph.windows.net%2f&prompt=consent&client_id=ec49c780-6767-46f2-8697-bdd816e42504&redirect_uri=https%3a%2f%2flogin.airhead.io%2fservices%2freply%2foffice365%2foauth&scope=UserProfile.Read+Calendars.Read+Files.Read+Sites.Read.All+Mail.Read&response_type=code

..(在授权和同意后)将我返回到:

https://login.airhead.io/services/reply/office365/oauth?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLeSvP6UG3gEwceCQ8hU_03hUjXRvPUfs_Y-324csuR0rDFE-qdNIsD0on-DjKGoSzvVL4PKh7_uQkghxtOGCZGEJ7GwcUDpvoHH86pjct3vAb94wPt8Pkdm46HhvPeBn6JDrK5VIBYdwxS2r8dLRmjqiyIBbGZDsOUCDymeFebYsFc-V39sQ9WFSx5ErjIeHvZ_Qf4zB1SDjT-iEqJPTW7H5bZpvFJQHhUqn3TvVL37Up4ZzkWxz5fb0zMk_7yKuz6G-DW6kz_Y1S30ZNgO45maDEw9KBqmdIR_NeewmFSKokgF4Unsfi__xNzjf6xO6VcMOidych7V7uQi_jxX7zP5hLvXgAoNmqBU-AnV2NVZ-5tq2s4w8vvl61TXUjR1MtwVf4TzcsL55uvyP16lid6JpWsdssZvWJNXna_zJC0Ok629vE5-4pzu-zF5C_PJztkx8VQ8QDmP4_JqkHkRmq2zO0doY25AF6Sh3odyNEx6IwWxe9jirPv_8NfwlmldYnpItzbmYlqLilOIEBNXpESgUmPz02A0Czu--pZP45JfjNDrVnUBBV9liPToK_QPe99xOSNHmk70h171M5BjVnhggAA&session_state=8494e152-60ab-4ddc-a247-ee55798e0595

..允许我继续使用代码,使用针对旧https://graph.windows.net/资源的身份验证代码。一切都好。

但是,在将授权网址上的resource参数值修改为https://graph.microsoft.com/以授权新的统一API后,即:

https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3a%2f%2fgraph.microsoft.com%2f&prompt=consent&client_id=ec49c780-6767-46f2-8697-bdd816e42504&redirect_uri=https%3a%2f%2flogin.airhead.io%2fservices%2freply%2foffice365%2foauth&scope=UserProfile.Read+Calendars.Read+Files.Read+Sites.Read.All+Mail.Read&response_type=code

..我收到了错误回复:

https://login.airhead.io/services/reply/office365/oauth?error=access_denied&error_description=AADSTS65005%3a+The+client+application+has+requested+access+to+resource+%27https%3a%2f%2fgraph.microsoft.com%2f%27.+This+request+has+failed+because+the+client+has+not+specified+this+resource+in+its+requiredResourceAccess+list.%0D%0ATrace+ID%3a+d9cc9773-feb5-42b4-9414-eaf64620fc0f%0D%0ACorrelation+ID%3a+ea1f37de-35bb-4b41-af49-c877dda75d11%0D%0ATimestamp%3a+2016-01-18+13%3a15%3a18Z

..带有描述“AADSTS65005:客户端应用程序已请求访问资源”https://graph.microsoft.com/“。此请求失败,因为客户端未在其requiredResourceAccess列表中指定此资源”。

如果我尝试使用相同的授权Url(再次针对资源https://graph.microsoft.com/),但这次放弃prompt=consent参数,即:

https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3a%2f%2fgraph.microsoft.com%2f&client_id=ec49c780-6767-46f2-8697-bdd816e42504&redirect_uri=https%3a%2f%2flogin.airhead.io%2fservices%2freply%2foffice365%2foauth&scope=UserProfile.Read+Calendars.Read+Files.Read+Sites.Read.All+Mail.Read&response_type=code

..它有效。

https://msdn.microsoft.com/en-US/library/azure/dn645542.aspx处的文档仍然表明prompt=consent有效,文档也是错误的(即我无法将prompt=consent与资源https://graph.microsoft.com/一起使用)或者这是一个错误?

1 个答案:

答案 0 :(得分:0)

事实证明,graph.microsoft.com的v1.0有一整套新的范围,在预览期间不需要。将这些范围添加到我的应用清单中解决了该问题。 (捂脸)