Authorization_IdentityNotFound Error while accessing graph API

问题

I have searched with the error which I found, Did not find any matching questions. So posting question. Appreciate if some one provides some pointers to proceed.

My goal is to access graph API in my desktop client. I have started using fiddler to experiment.

• I have followed instructions provided at https://graph.microsoft.io/en-us/docs/authorization/app_only
• registered Web APP using Application Registration portal using my Microsoft work account.
• Provided 'Read all users' full profiles in Delegated permissions

• Requested token and Used the token in Authorization header to call the graph API, Getting following error.

  https://graph.microsoft.com/v1.0/users
  119
  {
    "error": {
      "code": "Authorization_IdentityNotFound",
      "message": "The identity of the calling application could not be established.",
      "innerError": {
        "request-id": "4c3a7bc6-e3d8-453c-adc9-5a12fec3b0ee",
        "date": "2016-05-11T00:46:23"
      }
    }
  }
  

回答1:

This sample helped me understand the flows around app-only permissions. https://blogs.msdn.microsoft.com/tsmatsuz/2016/10/07/application-permission-with-v2-endpoint-and-microsoft-graph/

Key takeaways for me:

• Ensure you set up the app and specify the Application Permissions needed
• Do have an admin grant the app permission to run against the relevant directory.

• Get the relevant token:

  Notice the scope in the request below is https://graph.microsoft.com/.default

  POST https://login.microsoftonline.com/{tenantname}.onmicrosoft.com/oauth2/v2.0/token
  Content-Type: application/x-www-form-urlencoded
  
  grant_type=client_credentials&client_id=6abf3364-0a60-4603-8276-e9abb0d843d6&client_secret=JfgrNM9CcW...&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
  

• Use the token to request the relevant graph resource, eg:

  GET https://graph.microsoft.com/v1.0/users/demouser01@[tenant-name].onmicrosoft.com/drive/root/children
  
  Accept: application/json
  Authorization: Bearer eyJ0eXAiOi
  

回答2:

For me, I had not given admin consent. This is a critical step. My mistake was in thinking that by granting the app permissions, this was giving admin consent, but its not the same thing.

From step 3 on this site: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

I just pasted their call into a browser after filling in the tenant and client id, then signed in, and everything worked.

GET https://login.microsoftonline.com/{tenant}/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions

回答3:

You'll find that this document is a better set of instructions for app-only apps.

There are two issues from your description that stand out.

1. You'll need to make the call with an X509 certificate for app-only flows.
2. You need to set up app scopes, rather than delegated scopes on your app - delegated scopes are for delegate flows rather than app-only flows.

来源：https://stackoverflow.com/questions/37151346/authorization-identitynotfound-error-while-accessing-graph-api