"特权不足"在AAD多租户应用程序中查询超额索赔URI时

时间:2016-03-20 06:58:20

标签: c# permissions multi-tenant azure-active-directory claims-based-identity

我在租户A中有一个多租户AAD应用,它接受租户B发出的令牌来验证其用户。应用程序请求的权限设置为默认的最低级别 - 阅读基本用户的个人资料。

当来自租户B的用户(非管理员)登录时,我会看到声明,并且我已将应用配置为在用户声明中发送用户的群组。在群组声明中,而不是我看到的群组列表" src1 "引用,暗示用户是200多个组的成员,我需要查询该URI以获取这些组的列表。

但是,当我查询该URI时,我会收到" 权限不足"错误。我实际上能够查询" / me" URI对用户来说很好,看到他的直接经理甚至是办公地点,但我无法看到他或她的安全组。

当用户同意通过我的应用进行身份验证时,群组声明是否包含在我允许阅读的内容中,或者只有管理员可以同意的内容?如果我确实应该看到它们,那么在给定超龄声明URI的情况下访问它们的正确方法是什么?

提前致谢!

更新: 有关代码的更多信息: 我使用的是一本书(不是特定的教程),我的代码位于 AuthorizationCodeReceived 通知正文中,如下所示:

var ClientId = "...";
// Notice the "common"
var Authority = "https://login.microsoftonline.com/common";
var appKey = "...";
var resourceId = "https://graph.windows.net";
var code = context.Code;
var authContext = new AuthenticationContext(Authority);
var credential = new ClientCredential(ClientId, appKey);
var result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, resourceId);

var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", result.AccessToken);

// I'm not very sure about this part - I tried different ways, but all request that "work" result in "Insufficient privileges"
var p = new { securityEnabledOnly = true };
string postBody = JsonConvert.SerializeObject(p);
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); 

var response = httpClient.PostAsync("<the src1 url>", new StringContent(postBody, System.Text.Encoding.UTF8, "application/json")).Result;

2 个答案:

答案 0 :(得分:0)

所以我想我可以回答我自己的问题。事实证明,User.Read仅包含&#34;声明的&#34; User实体的属性,而组成员身份是Navigation属性。

要访问该组,我需要请求Group.Read.All权限,这需要管理员同意。

以下是有关权限的文档: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes

以下是实体的描述: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#userentity

这完全在文档中,只需要在阅读时非常注意细节。

答案 1 :(得分:0)

添加:我运行您的代码时没有错误,请确保您的网络应用有权访问Graph Api。下面是代码,我简化了某个地方。

        var ClientId = "***";
        // Notice the "common"
        var Authority = "https://login.microsoftonline.com/tenantid";
        var appKey = "k***";
        var resourceId = "https://graph.windows.net";
       // var code = context.Code;
        var authContext = new AuthenticationContext(Authority);
        var credential = new ClientCredential(ClientId, appKey);
        var result = authContext.AcquireToken(resourceId,credential);

        var httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

        // I'm not very sure about this part - I tried different ways, but all request that "work" result in "Insufficient privileges"
       // var p = new { securityEnabledOnly = true };
      //  string postBody = JsonConvert.SerializeObject(p);
        httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

        var   result1 = httpClient.GetAsync("https://graph.windows.net/tenantid/users?api-version=1.6").Result;

        var  jsonresult=result1.Content.ReadAsStringAsync().Result;