资源<random guid =“”>不存在或其查询的引用属性对象之一不存在

时间:2017-07-28 14:33:05

标签: azure-active-directory microsoft-graph

我试图对Microsft Graph进行基本调用。

https://graph.microsoft.com/v1.0/me/

我已通过C#SDK完成此操作并直接使用休息和两次调用,我收到以下错误

消息=&#34;资源&#39; f9d58168-4b3e-4948-9133-6c978d1ab18a&#39;不存在或其查询的引用属性对象之一不存在。&#34;

错误响应内容流中返回完整错误消息

{
  "error": {
    "code": "Request_ResourceNotFound",
    "message": "Resource 'f9d58168-4b3e-4948-9133-6c978d1ab18a' does not exist or one of its queried reference-property objects are not present.",
    "innerError": {
      "request-id": "80af6aec-5052-49ab-890c-273fea5c65ba",
      "date": "2017-07-31T06:08:37"
    }
  }
}

GUID可以不同。

当我通过Graph Explorer执行此操作时,它可以正常工作。

这是我用来获取App

凭据的代码
private ClientCredential GetCredentials()
{
  return new ClientCredential(_azureAdOptions.ClientId, _azureAdOptions.ClientSecret);
}

private AuthenticationContext GetContext(string userObjectId)
{
  return new AuthenticationContext($"{_azureAdOptions.AadInstance}{_azureAdOptions.Tenant}", GetTokenCache(userObjectId));
}

private DistributedTokenCache GetTokenCache(string userObjectId)
{
  return new DistributedTokenCache(userObjectId, _azureAdOptions.ClientId, _distributedCache, _loggerFactory);
}

public async Task<AuthenticationResult> GetToken(string userObjectId, string resourceId)
        {
            AuthenticationResult result;

            var authContext = GetContext(userObjectId);
            var credential = GetCredentials();

            try
            {
                result = await authContext.AcquireTokenSilentAsync(resourceId, credential, new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
            }
            catch (AdalSilentTokenAcquisitionException astae)
            {
                result = await authContext.AcquireTokenAsync(resourceId, credential);
            }

            return result;
        }

我已经通过代码进行了调试,并且验证并获取了令牌。

已将我的应用程序中的请求URL复制并粘贴到Graph Explorer中,它可以正常工作。

通过Azure获得设置权限,它们与Graph Explorer的设置权限相同。

这是我在StartUp中用于设置OpenId

的配置
var openIdConnectOptions = new OpenIdConnectOptions
            {
                ClientId = azureAdOptions.ClientId,
                Scope =
                {
                    "openid",
                    "email",
                    "profile",
                    "offline_access",
                    "User.Read",
                    "user_impersonation"
                },
                Authority = $"{azureAdOptions.AadInstance}{azureAdOptions.Tenant}",
                SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,
                AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme,
                PostLogoutRedirectUri = azureAdOptions.PostLogoutRedirectUri,
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                UseTokenLifetime = true,
                GetClaimsFromUserInfoEndpoint = false,
                Events = new OpenIdConnectEvents
                {
                    OnRedirectToIdentityProvider = OnRedirectToIdentityProvider,
                    OnRemoteFailure = OnAuthenticationFailed,
                    OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
                    OnUserInformationReceived = OnUserInformationReceived
                }
            };

我在调用Microsoft Graph的不同应用程序中使用该代码并且没有遇到任何问题。

更新

我能够从声明主体(http://schemas.microsoft.com/identity/claims/objectidentifier)获取用户ID,并使用此ID拨打&#34; https://graph.microsoft.com/v1.0/users(&#39;&#39;)同样的错误。错误消息中的GUID是声明主体中用户的GUID。

那么为什么声明主体中的用户ID没有正确设置?

进一步更新

看起来像Claims Principal中设置的对象标识符与Azure Active目录中的对象标识符不同。

将对象标识符硬编码到用户端点中。

进一步更新

这似乎与正在返回的访问令牌有关。在解密令牌之后,我可以看到对象ID是已注册应用程序的对象ID,这是在调用&#34; Me&#34;在Office Graph中。不应该是用户返回的令牌的OID。该应用在Active Directory中有User.Read。

AcquireTokenSilentAsync返回的错误

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException:
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenSilentHandler.SendTokenRequestAsync (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\Flows\AcquireTokenSilentHandler.cs: 61)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase+<RunAsync>d__55.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\Flows\AcquireTokenHandlerBase.cs: 198)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenSilentCommonAsync>d__55.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\AuthenticationContext.cs: 618)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenSilentAsync>d__41.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\AuthenticationContext.cs: 415)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at InSite.Security.AuthenticationService+<GetToken>d__5.MoveNext (InSite.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: C:\Users\TobyStatham\Documents\Visual Studio 2017\Projects\InSite\InSite.Security\AuthenticationService.cs: 47)

1 个答案:

答案 0 :(得分:1)

在Graph中,/ me / endpoint是当前登录用户的别名(基于令牌)。要检查这一点,您可以解码JWT并查看是否存在与令牌关联的任何用户信息。没有用户在场的应用程序将无法查询/ me /,而应该指定感兴趣的用户的用户ID(/ users / user id)。