【发布时间】:2020-11-25 14:42:58
【问题描述】:
在我的应用程序中,我使用 passport-azure-ad 的 OIDCStrategy 策略使用 Azure AD 实现了登录模式。现在我正在尝试使用登录微软后收到的访问令牌进行 Graph 的列表用户 api 调用。但是我收到了这个错误。
GraphError {
statusCode: 403,
code: 'Authorization_RequestDenied',
message: 'Insufficient privileges to complete the operation.',
request-id:"XXXX",
date: 2020-11-24T09:24:05.000Z,
body: '{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2020-11-24T14:54:05","request-id":"XXXX","client-request-id":"XXXXXXX"}}'
}
我的应用程序有这么多权限,但我仍然收到上述错误。我做错了什么?
这是解码后的访问令牌对象:
{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/7adbf72e-a1bf-48dc-8646-f09a986d8cf5/","iat":1606229343,"nbf":1606229343,"exp":1606233243,"acct":1,"acr":"1","acrs":["urn:user:registersecurityinfo","urn:microsoft:req1","urn:microsoft:req2","urn:microsoft:req3","c1","c2","c3","c4","c5","c6","c7","c8","c9","c10","c11","c12","c13","c14","c15","c16","c17","c18","c19","c20","c21","c22","c23","c24","c25"],"aio":"AUQAu/8RAAAAOsguW0xieoa2CFuuDvL0jrUAtSMCWcD3IdbuCmn3lJuENH6iLn9d8hRFHUma9pcCBZX/wJfdyN6bA61m7ntpgg==","altsecid":"5::10032000C782425B","amr":["pwd"],"app_displayname":"ODP Local App","appid":"57ceab52-f7b8-4de4-a3ad-25dad057c497","appidacr":"1","email":"xxxx@xxxx.com","idp":"https://sts.windows.net/f6e57c1b-6cbc-42a4-8e89-39e1bef6c49f/","idtyp":"user","ipaddr":"49.207.220.153","name":"xxxx.xxxx","oid":"e4c3eda9-513d-4cb6-bfb7-d13a856226bc","platf":"5","puid":"10032000C7758CA0","rh":"0.AAAALvfber-h3EiGRvCamG2M9VKrzle49-RNo60l2tBXxJceAJc.","scp":"Directory.Read.All Mail.Read openid profile User.Read User.Read.All User.ReadBasic.All email","sub":"nFYoEl4fstYqfN3kFRucklSfbW6dOoYKBf4KkCDwrkk","tenant_region_scope":"NA","tid":"7adbf72e-a1bf-48dc-8646-f09a986d8cf5","unique_name":"xxxx@xxxx.com","uti":"IjWpoZpXkEex8C9Om31AAA","ver":"1.0","wids":["13bd1c72-6f4a-4dcf-985f-18d3b80f208a"],"xms_st":{"sub":"Hg0g_xypTWd5nXzHsNNOTQQwBlABxJ-NlyRDj8JqsuM"},"xms_tcdt":1540458072}
PS:当登录的用户被分配Application administrator 角色时,API 会成功。用户是否需要/users api 的单独角色?应用权限还不够吗?
【问题讨论】:
-
能否提供错误信息的相关id和时间戳
-
这个工作
{"date":"2020-11-24T15:12:56","request-id":"a6811530-3cc6-416f-af99-9c074f40164b","client-request-id":"9ea2a495-ba9d-c10a-c837-361e49343dcf"}吗? -
@lone_worrior api调用不需要为用户分配角色,它只是不支持个人微软帐户,你可以使用jwt.ms来解析你的访问令牌并提供截图吗?
-
@CarlZhao 我已经用令牌数据更新了问题。它们也不是个人微软帐户。
-
@lone_worrior 来宾用户具有受限的目录权限。他们可以管理自己的个人资料、更改自己的密码并检索有关其他用户、组和应用程序的一些信息,但是,他们无法读取所有目录信息。例如,来宾用户无法枚举所有用户、组和其他目录对象的列表。可以将来宾添加到管理员角色,从而授予他们角色中包含的完全读取和写入权限。客人也可以邀请其他客人。
标签: node.js azure-active-directory microsoft-graph-api openid-connect passport-azure-ad