Graph API - 在 Microsoft Graph 控制台应用程序中获得的权限不足
Graph API - Getting Insufficient privileges in microsoft graph console application
我在控制台应用程序中使用的代码:
public static string GetAccessToken()
{
// Create the authentication context (ADAL)
//Authority is something like https://login.microsoftonline.com/xyz.com
var authenticationContext = new AuthenticationContext(Authority);
// Get the access token
var credentials = new ClientCredential(ClientId, ClientSecret);
//Graph Resource https://graph.microsoft.com/
var authenticationResult = authenticationContext.AcquireTokenAsync(GraphResource, credentials);
var accessToken = authenticationResult.Result.AccessToken;
return accessToken; //we are getting access token here
}
public static HttpClient GetHttpClient(string accessToken)
{
// Create the HTTP client with the access token
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer",
accessToken);
return httpClient;
}
public static async Task MakeRequest()
{
// Get an access token and configure the HttpClient
var accessToken = GetAccessToken();
var httpClient = GetHttpClient(accessToken);
var uri = "https://graph.microsoft.com/v1.0/users/abc@xyz.com/";
// Get the current user (to extract the mail address)
var response = await httpClient.GetAsync(uri);
//var user = await MailClient.GetUserAsync(httpClient); //this is also not working
// Console.WriteLine(user.DisplayName);
if (response.Content != null)
{
var responseString = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseString);
}
}
在 responseString 中我们得到:
{
"error":{
"code":"Authorization_RequestDenied",
"message":"Insufficient privileges to complete the operation.",
"innerError":{
"request-id":"79267719-b160-4817-a200-xxxxxxxxxx",
"date":"2018-01-14T11:00:00"
}
}
}
我们在应用程序权限中的权限如下:
在委派权限中,我们已经读取了所有用户的完整配置文件权限,但在应用程序权限中没有。
提问:是权限问题还是其他问题?
我建议使用 User.Read.All(阅读所有用户的完整个人资料)或 User.ReadBasic.All(阅读所有用户的基本个人资料)- 有关权限的详细信息,请参阅 https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference。
设置这些权限只会说 "these are the permissions that my app requires"。它实际上并不授予任何权限——您需要明确授予权限或征得客户同意。如果这是您自己的租户,您可以单击 Azure 门户中的 "Grant permissions" 按钮。然后再次尝试该应用程序。有关配置权限、授予权限和同意的更多详细信息,请参阅https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications。
希望这对您有所帮助,
我在控制台应用程序中使用的代码:
public static string GetAccessToken()
{
// Create the authentication context (ADAL)
//Authority is something like https://login.microsoftonline.com/xyz.com
var authenticationContext = new AuthenticationContext(Authority);
// Get the access token
var credentials = new ClientCredential(ClientId, ClientSecret);
//Graph Resource https://graph.microsoft.com/
var authenticationResult = authenticationContext.AcquireTokenAsync(GraphResource, credentials);
var accessToken = authenticationResult.Result.AccessToken;
return accessToken; //we are getting access token here
}
public static HttpClient GetHttpClient(string accessToken)
{
// Create the HTTP client with the access token
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer",
accessToken);
return httpClient;
}
public static async Task MakeRequest()
{
// Get an access token and configure the HttpClient
var accessToken = GetAccessToken();
var httpClient = GetHttpClient(accessToken);
var uri = "https://graph.microsoft.com/v1.0/users/abc@xyz.com/";
// Get the current user (to extract the mail address)
var response = await httpClient.GetAsync(uri);
//var user = await MailClient.GetUserAsync(httpClient); //this is also not working
// Console.WriteLine(user.DisplayName);
if (response.Content != null)
{
var responseString = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseString);
}
}
在 responseString 中我们得到:
{
"error":{
"code":"Authorization_RequestDenied",
"message":"Insufficient privileges to complete the operation.",
"innerError":{
"request-id":"79267719-b160-4817-a200-xxxxxxxxxx",
"date":"2018-01-14T11:00:00"
}
}
}
我们在应用程序权限中的权限如下:
在委派权限中,我们已经读取了所有用户的完整配置文件权限,但在应用程序权限中没有。
提问:是权限问题还是其他问题?
我建议使用 User.Read.All(阅读所有用户的完整个人资料)或 User.ReadBasic.All(阅读所有用户的基本个人资料)- 有关权限的详细信息,请参阅 https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference。
设置这些权限只会说 "these are the permissions that my app requires"。它实际上并不授予任何权限——您需要明确授予权限或征得客户同意。如果这是您自己的租户,您可以单击 Azure 门户中的 "Grant permissions" 按钮。然后再次尝试该应用程序。有关配置权限、授予权限和同意的更多详细信息,请参阅https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications。
希望这对您有所帮助,