我试图对Microsft Graph进行基本调用。
https://graph.microsoft.com/v1.0/me/
我已通过C#SDK完成此操作并直接使用休息和两次调用,我收到以下错误
消息="资源' f9d58168-4b3e-4948-9133-6c978d1ab18a'不存在或其查询的引用属性对象之一不存在。"
错误响应内容流中返回完整错误消息
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'f9d58168-4b3e-4948-9133-6c978d1ab18a' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "80af6aec-5052-49ab-890c-273fea5c65ba",
"date": "2017-07-31T06:08:37"
}
}
}
GUID可以不同。
当我通过Graph Explorer执行此操作时,它可以正常工作。
这是我用来获取App
凭据的代码private ClientCredential GetCredentials()
{
return new ClientCredential(_azureAdOptions.ClientId, _azureAdOptions.ClientSecret);
}
private AuthenticationContext GetContext(string userObjectId)
{
return new AuthenticationContext($"{_azureAdOptions.AadInstance}{_azureAdOptions.Tenant}", GetTokenCache(userObjectId));
}
private DistributedTokenCache GetTokenCache(string userObjectId)
{
return new DistributedTokenCache(userObjectId, _azureAdOptions.ClientId, _distributedCache, _loggerFactory);
}
public async Task<AuthenticationResult> GetToken(string userObjectId, string resourceId)
{
AuthenticationResult result;
var authContext = GetContext(userObjectId);
var credential = GetCredentials();
try
{
result = await authContext.AcquireTokenSilentAsync(resourceId, credential, new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
}
catch (AdalSilentTokenAcquisitionException astae)
{
result = await authContext.AcquireTokenAsync(resourceId, credential);
}
return result;
}
我已经通过代码进行了调试,并且验证并获取了令牌。
已将我的应用程序中的请求URL复制并粘贴到Graph Explorer中,它可以正常工作。
通过Azure获得设置权限,它们与Graph Explorer的设置权限相同。
这是我在StartUp中用于设置OpenId
的配置var openIdConnectOptions = new OpenIdConnectOptions
{
ClientId = azureAdOptions.ClientId,
Scope =
{
"openid",
"email",
"profile",
"offline_access",
"User.Read",
"user_impersonation"
},
Authority = $"{azureAdOptions.AadInstance}{azureAdOptions.Tenant}",
SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,
AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme,
PostLogoutRedirectUri = azureAdOptions.PostLogoutRedirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
UseTokenLifetime = true,
GetClaimsFromUserInfoEndpoint = false,
Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = OnRedirectToIdentityProvider,
OnRemoteFailure = OnAuthenticationFailed,
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
OnUserInformationReceived = OnUserInformationReceived
}
};
我在调用Microsoft Graph的不同应用程序中使用该代码并且没有遇到任何问题。
更新
我能够从声明主体(http://schemas.microsoft.com/identity/claims/objectidentifier)获取用户ID,并使用此ID拨打&#34; https://graph.microsoft.com/v1.0/users(&#39;&#39;)同样的错误。错误消息中的GUID是声明主体中用户的GUID。
那么为什么声明主体中的用户ID没有正确设置?
进一步更新
看起来像Claims Principal中设置的对象标识符与Azure Active目录中的对象标识符不同。
将对象标识符硬编码到用户端点中。
进一步更新
这似乎与正在返回的访问令牌有关。在解密令牌之后,我可以看到对象ID是已注册应用程序的对象ID,这是在调用&#34; Me&#34;在Office Graph中。不应该是用户返回的令牌的OID。该应用在Active Directory中有User.Read。
AcquireTokenSilentAsync返回的错误
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException:
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenSilentHandler.SendTokenRequestAsync (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\Flows\AcquireTokenSilentHandler.cs: 61)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase+<RunAsync>d__55.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\Flows\AcquireTokenHandlerBase.cs: 198)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenSilentCommonAsync>d__55.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\AuthenticationContext.cs: 618)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenSilentAsync>d__41.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\AuthenticationContext.cs: 415)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at InSite.Security.AuthenticationService+<GetToken>d__5.MoveNext (InSite.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: C:\Users\TobyStatham\Documents\Visual Studio 2017\Projects\InSite\InSite.Security\AuthenticationService.cs: 47)
答案 0 :(得分:1)
在Graph中,/ me / endpoint是当前登录用户的别名(基于令牌)。要检查这一点,您可以解码JWT并查看是否存在与令牌关联的任何用户信息。没有用户在场的应用程序将无法查询/ me /,而应该指定感兴趣的用户的用户ID(/ users / user id)。