问题
just started in the graph/office API and wow is it a minefield!
Just wondering if anyone can give me any advice? I am getting a 401 when I attempt to contact https://graph.microsoft.com/beta/me/files.
My JWT is as follows:
{
"aud": "https://graph.windows.net/",
"iss": "https://sts.windows.net/916970f4-e570-4036-a353-8ae647af1d3e/",
"iat": 1444794383,
"nbf": 1444794383,
"exp": 1444798283,
"ver": "1.0",
"tid": "916970f4-e570-4036-a353-8ae647af1d3e",
"oid": "c454b826-612f-4525-8995-87f1a24dc3df",
"sub": "c454b826-612f-4525-8995-87f1a24dc3df",
"idp": "https://sts.windows.net/916970f4-e570-4036-a353-8ae647af1d3e/",
"appid": "568d0906-4131-4b97-8b08-9efdbe1636c4",
"appidacr": "1"
}
My tokens are aquired in a rather odd way... I have a web project azure AD, who's token is used to aquire a web api Azure Ad token, then that Token is used to produce the graph api jwt as shown above.
Heres how it woks:
回答1:
Sorry you are running in to issues here. Two things...
- You are getting a 401 because the audience of the token is for Azure AD Graph API, but it needs to be for the Office 365 unified API, since these are 2 differently APIs. To get a token for the unified API, you need to specify the resource in your token acquisition request as https://graph.microsoft.com. Basically tokens cannot be interchangeably used against different services - tokens are audience/resource specific. We should have some extra information and samples for this here http://dev.office.com/unifiedapis.
- The Office 365 unified API ONLY supports the code flows (aka app+user or delegated flows). Your token appears to be a client credentials flow token (i.e. app only - no user context). This kind of token/flow is not possible yet with the unified api, but it is something we are working on. Stay tuned.
Hope this helps,
来源:https://stackoverflow.com/questions/33116473/graph-api-401-unauthorised