【发布时间】:2021-01-28 01:38:42
【问题描述】:
根据文档https://docs.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-beta - 为了获取用户照片,我们需要执行 HTTP 请求 https://graph.microsoft.com/beta/users/{userId}/photo/$value 提供访问令牌和用户 ID。 使用客户端凭据流,我可以接收特定组织(租户 ID)的访问令牌,例如:
public static String getAppAccessToken(String[] scopes) {
ConfidentialClientApplication cca;
try {
cca = ConfidentialClientApplication.builder(applicationId, ClientCredentialFactory.createFromSecret(applicationSecret))
.authority("https://login.microsoftonline.com/<<tenantId>>/")
.build();
} catch (MalformedURLException e) {
return null;
}
Set<String> scopeSet = Set.of(scopes);
ClientCredentialParameters clientCredentialParam = ClientCredentialParameters.builder(
scopeSet)
.build();
CompletableFuture<IAuthenticationResult> future = cca.acquireToken(clientCredentialParam);
return future.join().accessToken();
}
但是以这种方式接收的访问令牌只允许接收组织用户的照片,该组织的租户 ID 与 Azure Active Directory 应用程序注册中注册的机器人应用程序的租户 ID 相同。 是否可以使用客户端凭据流令牌从安装了我的机器人的其他组织接收用户的照片? 在这种情况下,我收到:
{
"error": {
"code": "UnknownError",
"message": "{\"error\":{\"code\":\"NoPermissionsInAccessToken\",\"message\":\"The token contains no permissions, or permissions can not be understood.\",\"innerError\":{\"oAuthEventOperationId\":\"d90f2331-a22a-44d5-889e-c0c14ea9129e\",\"oAuthEventcV\":\"n+NecjM040KWn+2G+e5oFQ.1\",\"errorUrl\":\"https://aka.ms/autherrors#error-InvalidGrant\",\"requestId\":\"0b6bb579-94a7-47ac-8ff9-26ee893e5cb0\",\"date\":\"2021-01-28T00:57:52\"}}}",
"innerError": {
"date": "2021-01-28T00:57:52",
"request-id": "0b6bb579-94a7-47ac-8ff9-26ee893e5cb0",
"client-request-id": "0b6bb579-94a7-47ac-8ff9-26ee893e5cb0"
}
}
}
【问题讨论】:
-
这个问题stackoverflow.com/questions/56503643/…和我的差不多!
标签: azure-active-directory botframework microsoft-teams microsoft-graph-teams