使用委派特权呼叫MS图表,而应用程序特权确实不起作用
我尝试使用图形 api 调用获取用户的自定义属性:
我已使用 User.ReadWrite.All 委托权限 设置了应用程序注册,如 文档 和授予管理员权限:
使用 python,我可以使用我的应用程序注册密钥获取令牌:
def retrieve_token(endpoint, client_id, client_secret):
# endpoint = "https://login.microsoftonline.com/<tenant-id>/oauth2/token"
payload = {
"grant_type":"client_credentials",
"client_id": client_id,
"client_secret": client_secret,
"resource":"https://graph.microsoft.com"
}
r = requests.request("POST", endpoint,data=payload).json()["access_token"]
return r # returns a valid jwt token
然后使用该令牌调用一个函数来获取我的用户的属性:
def get_user_role(endpoint,user_uid, token):
# endpoint = "https://graph.microsoft.com/v1.0/users/"
url = endpoint + user_uid
headers = {
"Authorization": "Bearer " + token,
"Content-Type": "application/json"
}
return requests.request("GET", url, headers=headers).json()
由于某种原因,它缺乏权限:
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'date': '2022-03-29T16:11:38', 'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'client-request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'}}}
如果我返回 api 的权限并将 User.ReadWrite.All 从 委派权限 更改为 应用程序权限它有效。
根据我在这种情况下阅读的内容,我应该使用委派权限但如何让它发挥作用呢?
I try to get a user's custom attribute using a graph api call :
I have setup an app registration with User.ReadWrite.All Delegated privileges as stated in the documentation and Granted admin privileges:
Using python, I can fetch a token using my app registration secret :
def retrieve_token(endpoint, client_id, client_secret):
# endpoint = "https://login.microsoftonline.com/<tenant-id>/oauth2/token"
payload = {
"grant_type":"client_credentials",
"client_id": client_id,
"client_secret": client_secret,
"resource":"https://graph.microsoft.com"
}
r = requests.request("POST", endpoint,data=payload).json()["access_token"]
return r # returns a valid jwt token
Using that token I then call a function to get my user's attributes :
def get_user_role(endpoint,user_uid, token):
# endpoint = "https://graph.microsoft.com/v1.0/users/"
url = endpoint + user_uid
headers = {
"Authorization": "Bearer " + token,
"Content-Type": "application/json"
}
return requests.request("GET", url, headers=headers).json()
For some reason, it lacks of privileges :
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'date': '2022-03-29T16:11:38', 'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'client-request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'}}}
If I go back to my api's permissions and change the User.ReadWrite.All from Delegated permissions to Application permissions it works.
From what I read in this scenario I should use Delegated permission but how to get that to work?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您使用
客户端凭据,请遵循(使用客户端 ID 和客户端密钥进行身份验证),因此您应该需要应用程序权限来获取令牌并调用函数来获取我的用户的属性。因此,不可能使用委托权限使用客户端凭据令牌调用 API。正如评论中所述的 junnas 是正确的当您想要以登录用户身份调用 Web API 时,通常会使用委派权限。
应用程序权限:您的应用程序需要直接访问 Web API(无用户上下文)。
因此您应该更改获取访问令牌的方式,例如授权代码流或设备代码流以登录用户身份获取访问令牌
您可以参考此文档可以帮助调用Web API的桌面应用:使用用户名和密码获取令牌
If you are using the
client credentials follow(Authenticating using Client ID and Client Secret) so you should require toApplication permissionsto get token and call a function to get my user's attributes. So it won't Possible to calling an API with Client Crendetial Token using delegated permissions.As junnas stated in comment is correct You typically use delegated permissions when you want to call the Web API as the logged on user.
Application Permissions: Your application needs to access the web API directly as itself (no user context).
So you should change the way to get the access token use e.g. authorization code flow or device code flow to get an access token as a signed in user
You can refer this Document can help Desktop app that calls web APIs: Acquire a token using Username and Password