问题
This work on my application hosted on localhost:
"https://graph.microsoft.com:443/v1.0/sites/test.sharepoint.com,edc2dd46-cea8-4b10-a872-cd1a55ba4529,b14c0787-d4c1-4f4a-9a6c-7e010d794be9/drives/b!Rt3C7ajOEEuocs0aVbpFKYcHTLHB1EpPmmx-AQ15S-nygMtHkkWNRaaOc2GebusJ/items/01VI7PMEF6Y2GOVW7725BZO354PWSELRRZ?%24filter=folder ne null&%24select=id%2cfolder%2cname%2cparentReference%2cwebUrl"
"https://graph.microsoft.com:443/v1.0/sites/test.sharepoint.com,edc2dd46-cea8-4b10-a872-cd1a55ba4529,b14c0787-d4c1-4f4a-9a6c-7e010d794be9/drives/b!Rt3C7ajOEEuocs0aVbpFKYcHTLHB1EpPmmx-AQ15S-nygMtHkkWNRaaOc2GebusJ/items/01VI7PMEF6Y2GOVW7725BZO354PWSELRRZ?%24filter=folder ne null&%24select=id%2cfolder%2cname%2cparentReference%2cwebUrl"
"https://graph.microsoft.com:443/v1.0/sites/test.sharepoint.com,edc2dd46-cea8-4b10-a872-cd1a55ba4529,b14c0787-d4c1-4f4a-9a6c-7e010d794be9/drives/b!Rt3C7ajOEEuocs0aVbpFKYcHTLHB1EpPmmx-AQ15S-nygMtHkkWNRaaOc2GebusJ/root:/Presentation.en-GB.pptx:/microsoft.graph.createUploadSession"
But when I have uploaded the application on production server on azure as webapp.
I get this error by trying to find sharepoint site by id and creating upload session.
Outer: Microsoft.Graph.ServiceException: Code: itemNotFound Message: The resource could not be found.
Inner: Microsoft.Graph.ServiceException: Code: unauthenticated Message: The caller is not authenticated.
Why does it work on localhost and not my azure app? The app registration are different for development and production but the permissions are same.
The only difference I know is that I added Sites.Read.All permission later and not when I registered the app for the production in https://apps.dev.microsoft.com/.
I am using the Microsoft Graph client to get get the access token. I have also tried to delete all offline-tokens but it does not work.
If I remember right when I added the permission Sites.Read.All I got a new consent request.
Permission enabled in the app: email, Files.Read, Files.ReadWrite, File.ReadWrite.AppFolder, offline_access, openid, profile, Site.Read.All, User.Read
Is anything wrong?
Production Login:
{
typ: "JWT",
alg: "RS256",
kid: "VWVIc1WD1Tksbb301sasM5kOq5Q"
}.
{
aud: "f53962c3-2bd4-4302-adcf-49d9a93ccef0",
iss: "https://login.microsoftonline.com/GUID/v2.0",
iat: 1502142424,
nbf: 1502142424,
exp: 1502146324,
aio: "ATQAy/8DAAAAo99zdMc3jCP7sR8Zw0iKijdu1Nv2AeJOpJ65OHtXb0o8QjTm9O320mHxIAv5tWJw",
c_hash: "APreKq7N3Y0oG8SP6ipZdA",
name: "First name Last name",
nonce: "636377394901824543.ZWQ4MGVkYmEtYTMzMS00ZDUyLTgzZmYtYWFjMmRkNWRjNzhhNTAxMWUyYzItOGNhNi00N2IzLTk5MGEtMTVmYTlhYzBkNDVk",
oid: "4f64d4db-8115-4f19-8554-bedf20688226",
preferred_username: "firstname.lastname@company.com",
sub: "rxGHRTX9YHogzaC_HgOmXvoKJ0Xye6Rk5HPAjLphQRc",
tid: "34e9a1f3-23e1-4ead-b2fd-41660c25cc47",
ver: "2.0"
}.
Local Login:
{
typ: "JWT",
alg: "RS256",
kid: "VWVIc1WD1Tksbb301sasM5kOq5Q"
}.
{
aud: "36d2abdd-2363-4ff9-b597-77d41e0e3b81",
iss: "https://login.microsoftonline.com/GUID/v2.0",
iat: 1502173871,
nbf: 1502173871,
exp: 1502177771,
aio: "ATQAy/8EAAAA2JCq8vpq6La3M0KIKWw1vgJOfhDQyurYRhbCR47qSjByGzPkyZX0zi5y9uYCQS+q",
c_hash: "3JkkVwHgmYiHvR-gVdb22w",
name: "First name Last name",
nonce: "636377709651517241.MDNkOWNhYzMtYjk4NC00OTBkLWI2Y2EtYzU5NmM0NWZjOGExNWQxZmU3MTgtN2RhYS00NjVlLTkwZDgtZjIwOGY4NTcyNTZi",
oid: "4f64d4db-8115-4f19-8554-bedf20688226",
preferred_username: "firstname.lastname@company.com",
sub: "MRN4y1TZ-qG1uxrL7ozf8KbBm0VbcbH7djaKK187qH8",
tid: "34e9a1f3-23e1-4ead-b2fd-41660c25cc47",
ver: "2.0"
}.
Also read comments for more details.
回答1:
I found the error by using http://calebb.net/ on the token after the login.
The Azure app registration was missing a permission, Files.ReadWrite.All but development did neither have it, but the permissions was somehow included in the scope.
Bug in Azure? If I remember correct I had included lot of permissions in the app registration and then removed most of them including Files.ReadWrite.All.
Even when my WebApp did not include the permission in the scope and the app registration, the permission Files.ReadWrite.All was kept in the scope for existing users per app registration. Which is why it works on the development environment.
Thank you Marc LaFleur - MSFT.
来源:https://stackoverflow.com/questions/45547735/microsoft-graph-upload-to-sharepoint-drive-the-caller-is-not-authenticated