Microsoft Graph 标识 Java - 租户 'Microsoft Services' 中不存在选定的用户帐户

Microsoft Graph Identity Java - Selected user account does not exist in tenant 'Microsoft Services'

我想在我的 Java 应用程序中访问用户的 Outlook 日历。为此,我正在尝试使用 Microsoft Graph API。

我正在学习本教程: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-java-webapp whose code is here: https://github.com/Azure-Samples/ms-identity-java-webapp/tree/master/msal-java-webapp-sample

我在 portal.microsoft.com 上创建了类型为 Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

的应用程序

我已创建 keystore.p12 并将其复制到资源目录。

我的application.properties是:

#AAD configuration
aad.clientId=my client id
aad.authority=https://login.microsoftonline.com/my tenant id/
aad.secretKey=my secret key
aad.redirectUriSignin=https://localhost:8443/msal4jsample/secure/aad
aad.redirectUriGraph=https://localhost:8443/msal4jsample/graph/me
aad.msGraphEndpointHost=https://graph.microsoft.com/

#SSL configuration
server.port=8443
server.servlet.session.cookie.secure=true
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=password
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=testCert
server.ssl.key-password=password

当我 运行 应用程序并访问 https://localhost:8443 时,我得到带有登录按钮的页面。当我单击“登录”按钮时,我被重定向到可以在其中选择 outlook 帐户的页面。 URL 是:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&response_mode=form_post&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fmsal4jsample%2Fsecure%2Faad&client_id=ca146462-8880-424c-b629-cc7c0d0fb1b3&scope=openid+offline_access+profile&prompt=select_account&state=69a2ac0f-abac-46ad-b525-88f0b70182b7&nonce=9278f424-6858-4e22-bb13-7b13894abda7

当我 select 一个帐户时,出现以下错误:

Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application 'ca146462-8880-424c-b629-cc7c0d0fb1b3' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

我添加了重定向 URI

为什么我会收到错误消息?

更新:

我将 application.properties 中的权限更改为 https://login.microsoftonline.com/common,所以现在我得到了 "Pick an account" 页面。但是当我选择一个帐户时,我收到 403 Forbidden 错误。

复制juunas提到的评论中的解决方案:

Just use "common" if the app is multi-tenant https://login.microsoftonline.com/common/oauth2/v2.0/authorize

403 Forbidden 是您正在学习的教程的一个问题。由于某些浏览器中的 samesite 更新,需要查询 response_mode(而不是 form_post)。如果您再次尝试 运行 示例,它应该可以工作