I am trying to develop a webapp to let a user browse his Active Directory contacts.
I have two accounts: one to register the application (developer account) and the other that would be the general user who have access to Office365 (user account).
I have set up a Javascript client following the Azure AD Graph API documentation.
By now, I am able to prompt the user to login and retrieve an access token, but when I try to make a request, I always get a 401 error.
I am pretty new to Azure, so I don't really understand if the problem is in my application configuration or in my code.
I am able to browse the Graph API explorer with my user account, so I don't think he's missing the authorization to access it.
I am really confused.
我正在尝试开发一个webapp,让用户浏览他的Active Directory联系人。我有两个帐户:一个用于注册应用程序(开发者帐户),另一个用户可以访问Office365(用户帐户)。我按照Azure AD Graph API文档设置了一个Javascript客户端。到现在为止,我能够提示用户登录并检索访问令牌,但是当我尝试发出请求时,我总是会收到401错误。我是Azure的新手,所以我真的不明白问题是在我的应用程序配置中还是在我的代码中。我可以使用我的用户帐户浏览Graph API资源管理器,因此我认为他没有错过访问它的授权。我真的很困惑。
I try to add all the steps I am doing, hoping someone could point out the error.
我尝试添加我正在做的所有步骤,希望有人能指出错误。
Request 1:
要求1:
Url: https://login.windows.net/{my tenant id or common (both are working) }/oauth2/authorize
Method: GET
Params:
redirect_uri // my redirect url, the same I registered in my application. It is just a page that returns the content of the URL
client_id // my client id
response_type // code
state // a random generated string, not required, but reccomanded
resource // https://graph.windows.net
Response 1:
回复1:
code // A long string
state // The string I sent in the request
session_state // Another string
Request 2:
要求2:
Url: https://login.windows.net/{my tenant id or common (both are working) }/oauth2/token
Method: POST
Params:
redirect_uri // it won't be necessary, but in some post they reccomand to add it
client_id // my client id
client_secret // my client secret
code // the code retrieved from Request 1
grant_type // authorization_code
state // a random generated string
resource // https://graph.windows.net
Response 2:
回应2:
token_type // Bearer
access_token // a long token
id_token // exploring it with the JWT tool, shows it has the correct app id
refresh_token // a long code
resource // the same I sent in the request
scope // Directory.Read UserProfile.Read
expires_in
expires_on
a couple of other irrelevant keys
Request 3:
要求3:
Url: https://graph.windows.net/{the domain the logged account belong to}/contacts
Method: GET
Headers:
Authorization: Bearer {the access token retrieved from request 2}
Params:
api-version = 1.5 // The value suggested in the documentation.
Response 3:
回应3:
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
},
"values": null
}
}
This is the content of my Access Token:
这是我的访问令牌的内容:
{
typ: "JWT",
alg: "RS256",
x5t: "foofoofoofoo"
}.
{
aud: "https://graph.windows.net",
iss: "https://sts.windows.net/<SOMEGUID>/",
iat: 1418224761,
nbf: 1418224761,
exp: 1418228661,
ver: "1.0",
tid: "<SOMEGUID>",
amr: [
"pwd"
],
idp: "https://sts.windows.net/<SOMEGUID>/",
email: "myuseremail@contoso.com",
unique_name: "myuseremail@contoso.com",
sub: "barbarbarbar",
altsecid: "<an-id>",
family_name: "Last Name",
given_name: "First Name",
appid: "<MY APP ID>",
appidacr: "1",
scp: "Directory.Read UserProfile.Read",
acr: "1"
}
Answer
So, it looks like user must have the "can consent" authorization to authenticate to his own active directory, and this can be provided just by the administrator.
I posted the same request on the MSDN forum and I got the same answer.
I want sincerely thank @Jason Johnston and @Dan Kershaw since this problem was driving me nut and I would never be able to sort it out without their help.
Unfortunately I can award the bounty to just one of them, so I decided to give it @Jason Johnston for the great patience he had in supporting me in this and another discussion.
因此,看起来用户必须具有“可以同意”授权才能对其自己的活动目录进行身份验证,这可以由管理员提供。我在MSDN论坛上发布了相同的请求,我得到了相同的答案。我真诚地感谢@Jason Johnston和@Dan Kershaw,因为这个问题让我感到疯狂,如果没有他们的帮助,我将永远无法解决问题。不幸的是,我可以将赏金奖励给其中一个,所以我决定给予@Jason Johnston以极大的耐心来支持我和另一个讨论。
2 个解决方案
#1
3
I believe if you actually want to browse the Active Directory, and not just read the authenticated user's profile, you need administrator consent for a web app. See http://msdn.microsoft.com/en-us/library/azure/b08d91fa-6a64-4deb-92f4-f5857add9ed8#BKMK_Graph
我相信如果您确实想要浏览Active Directory,而不仅仅是阅读经过身份验证的用户的个人资料,则需要管理员同意才能使用Web应用程序。请参阅http://msdn.microsoft.com/en-us/library/azure/b08d91fa-6a64-4deb-92f4-f5857add9ed8#BKMK_Graph
If you already knew that, then maybe it's a problem with how you've registered your app or the token itself. Make sure you've selected the appropriate permissions per that link in your app registration. If those look right, then you can check the token. There's a handy little token parser here: http://jwt.calebb.net/. Just paste in the value of your token and it will show you the decoded JSON. Look at the scope or scp parameters.
如果您已经知道这一点,那么可能是您注册应用程序或令牌本身的方式存在问题。确保您已在应用注册中为该链接选择了相应的权限。如果这些看起来正确,那么您可以检查令牌。这里有一个方便的小令牌解析器:http://jwt.calebb.net/。只需粘贴令牌的值,它就会显示已解码的JSON。查看范围或scp参数。
{
"typ": "JWT",
"alg": "RS256",
"x5t": "asdfsadfasdfsa"
}
{
"aud": "https://graph.windows.net/",
"iss": "https://sts.windows.net/<SOMEGUID>",
"iat": 1418158549,
"nbf": 1418158549,
"exp": 1418162449,
"ver": "1.0",
"tid": "<SOMEGUID>",
"amr": [
"pwd"
],
"oid": "<SOMEGUID>",
"upn": "admin@contoso.com",
"unique_name": "admin@contoso.com",
"sub": "askdljalsdfs",
"puid": "1003BFFD88937280",
"family_name": "Administrator",
"given_name": "MOD",
"appid": "<YOUR APP ID>",
"appidacr": "0",
"scp": "Directory.Read user_impersonation UserProfile.Read",
"acr": "1"
}
#2
1
The token you've pasted is missing the OID and UPN, and that'll probably be why you are seeing this error. I'll have to go back and check how this access token could have been issued without those claims.
您粘贴的令牌缺少OID和UPN,这可能就是您看到此错误的原因。我将不得不返回并检查如果没有这些声明,可以如何发出此访问令牌。
#1
3
I believe if you actually want to browse the Active Directory, and not just read the authenticated user's profile, you need administrator consent for a web app. See http://msdn.microsoft.com/en-us/library/azure/b08d91fa-6a64-4deb-92f4-f5857add9ed8#BKMK_Graph
我相信如果您确实想要浏览Active Directory,而不仅仅是阅读经过身份验证的用户的个人资料,则需要管理员同意才能使用Web应用程序。请参阅http://msdn.microsoft.com/en-us/library/azure/b08d91fa-6a64-4deb-92f4-f5857add9ed8#BKMK_Graph
If you already knew that, then maybe it's a problem with how you've registered your app or the token itself. Make sure you've selected the appropriate permissions per that link in your app registration. If those look right, then you can check the token. There's a handy little token parser here: http://jwt.calebb.net/. Just paste in the value of your token and it will show you the decoded JSON. Look at the scope or scp parameters.
如果您已经知道这一点,那么可能是您注册应用程序或令牌本身的方式存在问题。确保您已在应用注册中为该链接选择了相应的权限。如果这些看起来正确,那么您可以检查令牌。这里有一个方便的小令牌解析器:http://jwt.calebb.net/。只需粘贴令牌的值,它就会显示已解码的JSON。查看范围或scp参数。
{
"typ": "JWT",
"alg": "RS256",
"x5t": "asdfsadfasdfsa"
}
{
"aud": "https://graph.windows.net/",
"iss": "https://sts.windows.net/<SOMEGUID>",
"iat": 1418158549,
"nbf": 1418158549,
"exp": 1418162449,
"ver": "1.0",
"tid": "<SOMEGUID>",
"amr": [
"pwd"
],
"oid": "<SOMEGUID>",
"upn": "admin@contoso.com",
"unique_name": "admin@contoso.com",
"sub": "askdljalsdfs",
"puid": "1003BFFD88937280",
"family_name": "Administrator",
"given_name": "MOD",
"appid": "<YOUR APP ID>",
"appidacr": "0",
"scp": "Directory.Read user_impersonation UserProfile.Read",
"acr": "1"
}
#2
1
The token you've pasted is missing the OID and UPN, and that'll probably be why you are seeing this error. I'll have to go back and check how this access token could have been issued without those claims.
您粘贴的令牌缺少OID和UPN,这可能就是您看到此错误的原因。我将不得不返回并检查如果没有这些声明,可以如何发出此访问令牌。