我已经使用https://github.com/microsoftgraph/msgraph-sdk-android
中的Graph SDK实现了对OneDrive文件的访问对于身份验证,我使用的方法与使用MSAL库的Connect sample相同,即build.gradle文件中的compile ('com.microsoft.identity.client:msal:0.1.+')。
我正在致电mPublicClientApp.acquireToken与
String[] scopes = {"offline_access", "https://graph.microsoft.com/Files.ReadWrite","https://graph.microsoft.com/User.Read"};并成功检索个人帐户和企业帐户的accessToken。
下一步,我想使用
将文件存储在用户的OneDrive上client.getDrive()
.getRoot()
.getItemWithPath("file.txt")
.getContent()
.buildRequest()
.put(data);
它可以正常使用个人帐户,但是在使用我的企业帐户(BTW是Azure门户中应用程序的用户)时失败,403: Forbidden失败。同样,如果我尝试获取确实存在的文件的DriveItem(也适用于个人帐户),则会得到404: Not found。
我的代码有什么问题吗,或者看起来像是应用程序的配置错误? (我在Azure门户中使用“预览模式”)。我添加的权限是
Files.ReadWrite
Delegiert
Have full access to user files
-
offline_access
Delegiert
Access user's data anytime
-
User.Read
Delegiert
Sign in and read user profile
-
User.ReadWrite
Delegiert
Read and write access to user profile
-
这是我的完整清单(已删除一些ID):
{
"id": "...",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"allowPublicClient": true,
"appId": "...",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2018-12-24T08:51:51Z",
"groupMembershipClaims": null,
"identifierUris": [
"api://..."
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "...",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [
{
"adminConsentDescription": "blub",
"adminConsentDisplayName": "bla",
"id": "d3659b01-433e-44eb-ab39-9ee9c19f7fe8",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": null,
"userConsentDisplayName": "read files",
"value": "Files.ReadWrite"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "crocoapps.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "https://login.microsoftonline.com/common/oauth2/nativeclient",
"type": "InstalledClient"
},
{
"url": "msal8374f.................d9b2://auth",
"type": "InstalledClient"
},
{
"url": "https://login.live.com/oauth20_desktop.srf",
"type": "InstalledClient"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
"type": "Scope"
},
{
"id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
},
{
"id": "b4e74841-8e56-480b-be8b-910348b18b4c",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}
答案 0 :(得分:0)
我认为您的replyUrlsWithType值没有正确的值。此列表应包含 Azure AD 在令牌发行后将重定向到的URL。
取自Azure Active Directory app manifest:
replyUrlsWithType
此多值属性保存Azure AD在返回令牌时将接受作为目的地的已注册redirect_uri值的列表。每个uri值应包含一个关联的应用程序类型值。支持的类型值为:
Web,InstalledClient。
希望有帮助!