"Insufficient privileges" 在 AAD 多租户应用中查询超额索赔 URI 时
"Insufficient privileges" when querying the overage claim URI in AAD multi-tenant app
我在租户 A 中有一个多租户 AAD 应用程序,它接受租户 B 颁发的令牌来验证其用户。应用程序请求的权限设置为默认的最低级别 - 阅读基本用户的个人资料。
当租户 B 的用户(非管理员)登录时,我看到了声明,并且我已将应用配置为在声明中也发送用户组。在群组声明中,我看到的不是群组列表,而是“src1”引用,暗示该用户是 200 多个群组的成员,我需要查询该 URI 才能获取这些组的列表。
但是,当我查询该 URI 时,我收到“权限不足”错误。我实际上能够为用户查询“/me”URI 并查看他的直属经理甚至办公室位置,但我看不到他或她的安全组。
当用户同意通过我的应用程序进行身份验证时,组声明是否包含在我允许阅读的内容中,或者只有管理员才能同意?如果我确实应该看到它们,那么根据超龄索赔 URI 访问它们的正确方法是什么?
提前致谢!
更新:
有关代码的更多信息:
我正在使用一本书(不是特定教程),我的代码位于 AuthorizationCodeReceived 通知正文中,看起来像这样:
var ClientId = "...";
// Notice the "common"
var Authority = "https://login.microsoftonline.com/common";
var appKey = "...";
var resourceId = "https://graph.windows.net";
var code = context.Code;
var authContext = new AuthenticationContext(Authority);
var credential = new ClientCredential(ClientId, appKey);
var result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, resourceId);
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", result.AccessToken);
// I'm not very sure about this part - I tried different ways, but all request that "work" result in "Insufficient privileges"
var p = new { securityEnabledOnly = true };
string postBody = JsonConvert.SerializeObject(p);
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var response = httpClient.PostAsync("<the src1 url>", new StringContent(postBody, System.Text.Encoding.UTF8, "application/json")).Result;
所以我想我可以回答我自己的问题。事实证明,User.Read 仅包含用户实体的 "Declared" 属性,而组成员身份是导航 属性。
要访问群组,我需要请求 Group.Read.All 权限,这需要管理员同意。
这是关于权限的文档:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
下面是实体的描述:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#userentity
文档里都有,看的时候要注意细节。
补充:我运行你的代码没有错误,确保你的网络应用程序有访问Graph的权限Api。下面是代码,我简化了一些地方。
var ClientId = "***";
// Notice the "common"
var Authority = "https://login.microsoftonline.com/tenantid";
var appKey = "k***";
var resourceId = "https://graph.windows.net";
// var code = context.Code;
var authContext = new AuthenticationContext(Authority);
var credential = new ClientCredential(ClientId, appKey);
var result = authContext.AcquireToken(resourceId,credential);
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
// I'm not very sure about this part - I tried different ways, but all request that "work" result in "Insufficient privileges"
// var p = new { securityEnabledOnly = true };
// string postBody = JsonConvert.SerializeObject(p);
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var result1 = httpClient.GetAsync("https://graph.windows.net/tenantid/users?api-version=1.6").Result;
var jsonresult=result1.Content.ReadAsStringAsync().Result;
我在租户 A 中有一个多租户 AAD 应用程序,它接受租户 B 颁发的令牌来验证其用户。应用程序请求的权限设置为默认的最低级别 - 阅读基本用户的个人资料。
当租户 B 的用户(非管理员)登录时,我看到了声明,并且我已将应用配置为在声明中也发送用户组。在群组声明中,我看到的不是群组列表,而是“src1”引用,暗示该用户是 200 多个群组的成员,我需要查询该 URI 才能获取这些组的列表。
但是,当我查询该 URI 时,我收到“权限不足”错误。我实际上能够为用户查询“/me”URI 并查看他的直属经理甚至办公室位置,但我看不到他或她的安全组。
当用户同意通过我的应用程序进行身份验证时,组声明是否包含在我允许阅读的内容中,或者只有管理员才能同意?如果我确实应该看到它们,那么根据超龄索赔 URI 访问它们的正确方法是什么?
提前致谢!
更新: 有关代码的更多信息: 我正在使用一本书(不是特定教程),我的代码位于 AuthorizationCodeReceived 通知正文中,看起来像这样:
var ClientId = "...";
// Notice the "common"
var Authority = "https://login.microsoftonline.com/common";
var appKey = "...";
var resourceId = "https://graph.windows.net";
var code = context.Code;
var authContext = new AuthenticationContext(Authority);
var credential = new ClientCredential(ClientId, appKey);
var result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, resourceId);
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", result.AccessToken);
// I'm not very sure about this part - I tried different ways, but all request that "work" result in "Insufficient privileges"
var p = new { securityEnabledOnly = true };
string postBody = JsonConvert.SerializeObject(p);
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var response = httpClient.PostAsync("<the src1 url>", new StringContent(postBody, System.Text.Encoding.UTF8, "application/json")).Result;
所以我想我可以回答我自己的问题。事实证明,User.Read 仅包含用户实体的 "Declared" 属性,而组成员身份是导航 属性。
要访问群组,我需要请求 Group.Read.All 权限,这需要管理员同意。
这是关于权限的文档: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
下面是实体的描述: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#userentity
文档里都有,看的时候要注意细节。
补充:我运行你的代码没有错误,确保你的网络应用程序有访问Graph的权限Api。下面是代码,我简化了一些地方。
var ClientId = "***";
// Notice the "common"
var Authority = "https://login.microsoftonline.com/tenantid";
var appKey = "k***";
var resourceId = "https://graph.windows.net";
// var code = context.Code;
var authContext = new AuthenticationContext(Authority);
var credential = new ClientCredential(ClientId, appKey);
var result = authContext.AcquireToken(resourceId,credential);
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
// I'm not very sure about this part - I tried different ways, but all request that "work" result in "Insufficient privileges"
// var p = new { securityEnabledOnly = true };
// string postBody = JsonConvert.SerializeObject(p);
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var result1 = httpClient.GetAsync("https://graph.windows.net/tenantid/users?api-version=1.6").Result;
var jsonresult=result1.Content.ReadAsStringAsync().Result;