“权限不足,无法完成操作”,尽管授予了所有必要的权限

【问题标题】:"Insufficient priveleges to complete the operation", inspite of granting all necessary permissions“权限不足,无法完成操作”,尽管授予了所有必要的权限
【发布时间】:2020-02-15 07:07:27
【问题描述】: 
{"odata.error":{"code":"Authorization_RequestDenied",
"message":
{"lang":"en","value":"Insufficient privileges to complete the operation."},
"requestId":"b205e5d0-f929-418e-9153-f1994e2c0893",
"date":"2020-02-15T06:53:57"}
}

我能够从服务器检索身份验证令牌并已通过 AAD 授予所有权限,但我仍然面临同样的问题。 如果有人可以帮助我,那就太好了。 我正在使用 Microsoft Graph API。

下面是我正在使用的代码

private const string clientID = "XXXX";
        private const string addInstance = "https://login.microsoftonline.com/{0}";
        private const string tenant = "XYZ";
        private const string resource = "https://graph.windows.net";
        private const string appKey = "appkey";
        static string authority = String.Format(CultureInfo.InvariantCulture, addInstance, tenant);

        private static HttpClient httpclient = new HttpClient();
        private static AuthenticationContext context = null;
        private static ClientCredential credential = null;


        static void Main(string[] args)
        {
            context = new AuthenticationContext(authority);
            credential = new ClientCredential(clientID,appKey);

            Task<string> token = GetToken();
            token.Wait();
            Console.WriteLine(token.Result);

            Task<string> users = GetUsers(token.Result);
            users.Wait();
            Console.WriteLine(users.Result);
            //Console.ReadLine();
        }

        private static async Task<string> GetUsers(string result)
        {
            string users = null;
            string queryString = "api-version=1.6";
            var uri = "https://graph.windows.net/ *The Microsoft 365 account assosciated with the tenant* /users?"+ queryString;
            httpclient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result);
            var getResult = await httpclient.GetAsync(uri);
            if (getResult != null)
            {
                users = await getResult.Content.ReadAsStringAsync();
            }
            return users;
        }


        private static async Task<string> GetToken()
        {
            AuthenticationResult result = null;
            string token = null;
            result = await context.AcquireTokenAsync(resource, credential);
            token = result.AccessToken;
            return token;
        }
    }

【问题讨论】:

  • 分享您的令牌请求代码以及您尝试使用哪个graph API 将有助于解决问题。
  • 我已经添加了代码,希望它有助于分析问题
  • 您是否拥有User.ReadWrite.AllUser.Read.All 权限?并确保您点击了Grant admin consent,另外在https://jwt.io/ 上检查您的令牌,以确认它在那里需要权限。
  • 两个权限均已授予,并且令牌已在您提供的链接上验证(签名验证)。

标签: c# api azure-active-directory microsoft-graph-api


【解决方案1】:

我已经尝试过以下方式并且对我来说非常有效。 

       //Token Request End Point
        string tokenUrl = $"https://login.microsoftonline.com/yourTenant.onmicrosoft.com/oauth2/token";
        var tokenRequest = new HttpRequestMessage(HttpMethod.Post, tokenUrl);

        //I am Using client_credentials as It is mostly recommended
        tokenRequest.Content = new FormUrlEncodedContent(new Dictionary<string, string>
        {
            ["grant_type"] = "client_credentials",
            ["client_id"] = "b603c7be-a956_Your_Client_Id_a45996-e6921e61f36955",
            ["client_secret"] = "Vxf1SluKbgu4PF0loj_Your_Client_Secret_okjh8wL/yujh45lojhgg=",
            ["resource"] = "https://graph.windows.net" 
        });

        dynamic json;
        AccessTokenClass results = new AccessTokenClass();
        HttpClient client = new HttpClient();

        var tokenResponse = await client.SendAsync(tokenRequest);

        json = await tokenResponse.Content.ReadAsStringAsync();
        results = JsonConvert.DeserializeObject<AccessTokenClass>(json);


        //New Block For Accessing Data from Microsoft Graph Rest API
        HttpClient _client = new HttpClient();

        HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, string.Format("https://graph.windows.net/YourTenant.onmicrosoft.com/users?api-version=1.6"));

        //Passing Token For this Request
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", results.access_token);

        //Check The Response and extract response data
        HttpResponseMessage response = await _client.SendAsync(request);
        dynamic objGpraphUserList = JsonConvert.DeserializeObject<dynamic>(await response.Content.ReadAsStringAsync());

        return objGpraphUserList

使用的类: 

 public class AccessTokenClass
    {
        public string token_type { get; set; }
        public string expires_in { get; set; }
        public string resource { get; set; }
        public string access_token { get; set; }
    }

我按预期获得了用户列表。查看屏幕截图。

验证您的令牌:

https://jwt.io/ 上检查您的令牌,该令牌应具有User.ReadWrite.AllUser.Read.All 应用权限

注意: 您应该对Azure Active Directory Graph拥有以下权限


更多信息请参考this official document

希望这会有所帮助。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2017-11-03
    • 2018-06-13
    • 2018-01-24
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode