我正在尝试使用Microsoft Graph API的日历相关端点。我已经在Azure AD上注册了我的应用程序并配置了它的应用程序权限(实际上,为了确保这一点,我已经添加了Microsoft Graph API的应用程序权限的完整列表)
您可以在下面看到我的访问令牌,尽管有点长。 jwt.ms还声明它是一个Azure AD V1令牌。
{
"typ": "JWT",
"nonce": "AQABAAAAAAC5una0EUFgTIF8ElaxtWjTfuFEc1xDrKW9OgoxxfapaiuriahgH-pwN7wMt0tMrHmt-nOLiWJm7xzuNTM9Un0NoRzBP_Yor0wOmspcQdql0SAA",
"alg": "RS256",
"x5t": "wULmYfsqdQuWtV_-hxVtDJJZM4Q",
"kid": "wULmYfsqdQuWtV_-hxVtDJJZM4Q"
}.{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/41dad557-6060-410f-a612-368cf36641f0/",
"iat": 1541058963,
"nbf": 1541058963,
"exp": 1541062863,
"aio": "42RgYDicbl/RHqaT8XTWla+XJ8j2AgA=",
"app_displayname": "GraphChatBotTest",
"appid": "36602029-65b0-44ee-a2bb-f18c0f154969",
"appidacr": "1",
"idp": "https://sts.windows.net/41dad557-6060-410f-a612-368cf36641f0/",
"oid": "ea391d2a-9e85-4387-99ba-68a28d077a65",
"roles": [
"Chat.UpdatePolicyViolation.All",
"Calls.JoinGroupCall.All",
"EduRoster.Read.All",
"OnlineMeetings.Read.All",
"Mail.ReadWrite",
"OnlineMeetings.ReadWrite.All",
"Device.ReadWrite.All",
"User.ReadWrite.All",
"Domain.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"SecurityEvents.Read.All",
"Calendars.Read",
"EduAssignments.ReadWrite.All",
"People.Read.All",
"Application.ReadWrite.All",
"Calls.InitiateGroupCall.All",
"Group.Read.All",
"Directory.ReadWrite.All",
"EduAssignments.ReadWriteBasic.All",
"MailboxSettings.Read",
"EduAdministration.Read.All",
"Calls.JoinGroupCallAsGuest.All",
"Sites.Read.All",
"Sites.ReadWrite.All",
"Contacts.ReadWrite",
"Group.ReadWrite.All",
"Sites.Manage.All",
"SecurityEvents.ReadWrite.All",
"Notes.Read.All",
"User.Invite.All",
"EduRoster.ReadWrite.All",
"Files.ReadWrite.All",
"Directory.Read.All",
"User.Read.All",
"EduAssignments.ReadBasic.All",
"EduRoster.ReadBasic.All",
"Files.Read.All",
"Mail.Read",
"Chat.Read.All",
"ChannelMessage.Read.All",
"EduAssignments.Read.All",
"Calendars.ReadWrite",
"identityriskyuser.read.all",
"EduAdministration.ReadWrite.All",
"Mail.Send",
"ChannelMessage.UpdatePolicyViolation.All",
"MailboxSettings.ReadWrite",
"Contacts.Read",
"IdentityRiskEvent.Read.All",
"AuditLog.Read.All",
"Member.Read.Hidden",
"Calls.AccessMedia.All",
"Sites.FullControl.All",
"Reports.Read.All",
"Calls.Initiate.All",
"Notes.ReadWrite.All"
],
"sub": "ea391d2a-9e85-4387-99ba-68a28d077a65",
"tid": "41dad557-6060-410f-a612-368cf36641f0",
"uti": "Vy3Z7a_gLEODSO81X4cLAA",
"ver": "1.0",
"xms_tcdt": 1487855898
}.[Signature]
现在,当我使用User和Group端点时,一切正常。我可以获取所有用户,一个特定的用户,并且对组也是如此。但是,每当我尝试使用其他端点(例如/ calendars或/ events)时,都会收到401未经授权的响应,代码为“未知错误”。
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "532d3476-b41b-4d8a-a0ed-b44367c16d7f",
"date": "2018-11-01T08:19:55"
}
}
}
为记录起见,我尝试了v1.0端点和beta端点,结果相同。根据API文档,应该使用必要的应用程序权限访问这些端点(/calendars,/events等)。这里可能是什么问题?任何帮助表示赞赏。
编辑:添加示例代码以显示如何调用API
var uri =
$"https://graph.microsoft.com/v1.0/users/{userId}/events";
HttpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", accessToken);
var response = await HttpClient.GetAsync(uri);
此外,当我从Graph Explorer(使用我自己的个人帐户登录)调用相同的端点时,我得到了成功的答复。
更多信息:
当我们从应用程序注册门户(https://apps.dev.microsoft.com)而非Azure门户注册应用程序时,会发生一些有趣的事情。我可以成功获取访问令牌,但是当我使用新应用来调用/users时,会出现Authorization_IdentityNotFound错误,而调用/events时则会得到{{1} }。已向该应用程序授予以下应用程序权限:UnknownError,Calendars.ReadWrite,User.Read.All。也许更重要的是,这个新应用程序未显示在azure门户中。既不适合我,也不适合管理员。我希望这将使这个问题更加清晰。
编辑上一次编辑:
事实证明,我在“应用程序注册门户”上创建的应用程序有一个不同的租户。更改了Group.Read.All端点的租户ID之后,我在调用/token和/events时都能获得成功的响应。仍然想知道原始问题的根本原因。