问题
Our application is going to do simple User.ReadBasic.All functions, which from what I understand do not require Admin permissions. Using the flow documented here: https://graph.microsoft.io/en-us/docs/authorization/app_only
POST https://login.microsoftonline.com/{tenantId}/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=https://graph.microsoft.com
I am able to get a valid access token, however when calling the graph the following error message is returned:
“code": "Authorization_IdentityNotFound", "The identity of the calling application could not be established."
We have set up our app in the management console to have User.ReadAll.Basic permissions, and what is interesting is that I do get a successful result back from the API when I use my own credentials/token cache to spin up a ConfidentialClientApplication instance with the appId and secret and call AcquireTokenSilentAsync for the token:
string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
tokenCache = new SessionTokenCache(
signedInUserID,
HttpContext.Current.GetOwinContext().Environment["System.Web.HttpContextBase"] as HttpContextBase);
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appSecret),
tokenCache);
But we are creating a stateless, headless service that is going to have no user interaction and thus ideally we don't want to reply on user credentials and token cache to retrieve the access token. I’m not sure why one scenario works and the other is returning the IdentityNotFound error and any advice you have is welcome.
回答1:
which from what I understand do not require Admin permissions.
AFAIK,When using client credentials flow ,we need to set application permission to app , delegate permissions are used for delegated flow .
You could try below code to get users using ADAL :
string authority = "https://login.microsoftonline.com/a703965c-e057-4bf6-bf74-1d7d82964996";
AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
var result= await authenticationContext.AcquireTokenAsync("https://graph.microsoft.com", new ClientCredential("clientid", "clientsecret"));
string sURL = "https://graph.microsoft.com/v1.0/users";
WebRequest request1 = WebRequest.Create(sURL);
request1.Method = "GET";
request1.Headers.Add("Authorization", "Bearer " + result.AccessToken);
HttpWebResponse response1 = (HttpWebResponse)request1.GetResponse();
if (response1.StatusCode == HttpStatusCode.OK)
{
// some code
}
You could set "Read all users' full profiles" application permission for Microsfot Graph(for testing):
来源:https://stackoverflow.com/questions/42538845/authorization-identitynotfound-error-ms-graph-api