问题
I have successfully registered my application for graph.microsoft.com, but now it also needs to work with graph.cloudapi.de.
The Application Registration Portal does not seem to be the correct one for the German National Cloud.
Moreover, applications registered in portal.microsoftazure.de only work with the SharePoint API, not Graph.
Here's a sample HTTP exchange between my program and the German Microsoft Cloud. I am hand coding HTTP requests in Delphi. The exchange works with graph.microsoft.com, but not graph.microsoft.de.
I start the authentication via the following https URL:
login.microsoftonline.de/common/oauth2/v2.0/authorize?response_type=code&client_id=xyz&prompt=login&scope=https%3A%2F%2Fgraph.microsoft.de%2Fuser.read%20&response_mode=query&state=5736109994698155204&redirect_uri=https%3A%2F%2Fwww.syncovery.com%2Foauthresult.php
The cloud then directs to my redirect URL with a long code parameter, such as
code=AQABAAIAAQDnLpu3ikefR73l_aNlxt5xxdvNhQ9JVAI7b0ciTej............
So far, so good. Now the hard part:
POST /common/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.de
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 805
client_id=xyz&client_secret=abc&code=AQABAAIAAQD_very_long&redirect_uri=https%3A%2F%2Fwww.xyz.com%2Foauthresult.php&grant_type=authorization_code&scope=https%3A%2F%2Fgraph.microsoft.de%2Fuser.read%20
Reply:
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: e83986c0-5da4-4af7-92fc-46e2fb950100
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: esctx=AQABAAAAA_longish domain=.login.microsoftonline.de; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 07 Feb 2018 11:11:44 GMT
Content-Length: 449
{
"error": "invalid_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: e83986c0-5da4-4af7-92fc-46e2fb950100\r\nCorrelation ID: 044f44e3-ec09-4f76-b073-0ff6b72b696a\r\nTimestamp: 2018-02-07 11:11:45Z",
"error_codes": [70002, 50012],
"timestamp": "2018-02-07 11:11:45Z",
"trace_id": "e83986c0-5da4-4af7-92fc-46e2fb950100",
"correlation_id": "044f44e3-ec09-4f76-b073-0ff6b72b696a"
}
回答1:
The apps.dev.microsoft.com portal is global, there isn't a national cloud instance of the portal. You do however need to register your app under an AAD account using "Azure AD only applications" rather than "Converged applications". This is because the v2 Endpoint itself isn't supported by national cloud endpoints yet.
Another problem here is that your URI is also incorrect.
Some notes from the documentation related to Germany:
Microsoft Graph Root Endpoint:
https://graph.microsoft.de(notgraph.cloudapi.de)OAuth2.0 Endpoint:
https://login.microsoftonline.deThe Azure AD v2.0 authorization and token endpoints are available on the global service only; they are not yet supported for use with national cloud deployments.
来源:https://stackoverflow.com/questions/48641159/registering-an-application-for-the-microsoft-graph-api-in-the-german-national-cl