问题
We are trying to use the Office 365 Unified API to make requests against graph.microsoft.com.
Authentication is successful, but the access token is missing the UPN and PUID, which means that the request against https://graph.microsoft.com/beta/me fails.
Authentication Code:
$code = $_GET['code'];
//build the request body
$tokenRequestBody = "grant_type=authorization_code&" .
"redirect_uri=" . '<redirectURI>' . "&" .
"client_id=" . '<cliendId>' . "&" .
"client_secret=" . urlencode('<clientsecret>') . "&" .
"resource=" . 'https://graph.microsoft.com' . "&" .
"code=" . $code;
$request = curl_init("https://login.microsoftonline.com/0e06e1f9-24b3-4026-8bd0-2a6c28937df1/oauth2/token");
curl_setopt($request, CURLOPT_POST, 1);
curl_setopt($request, CURLOPT_POSTFIELDS, $tokenRequestBody);
curl_setopt($request, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
$tokenOutput = curl_exec($request);
$token = json_decode($tokenOutput);
Graph Request Code:
$path = "https://graph.microsoft.com/beta/me";
//perform a REST query for the user
$request = curl_init($path);
curl_setopt($request, CURLOPT_HTTPHEADER, array(
"Authorization: Bearer ".$token->access_token
,
"Accept: application/json"));
curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($request);
Decoded Access Token:
{
typ: "JWT",
alg: "RS256",
x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
aud: "https://graph.microsoft.com",
iss: "https://sts.windows.net/0e06e1f9-24b3-4026-8bd0-2a6c28937df1/",
iat: 1447345801,
nbf: 1447345801,
exp: 1447349701,
acr: "1",
altsecid: "1:live.com:0003BFFD977FF496",
amr: [
"pwd"
],
appid: "<appid>",
appidacr: "1",
email: "<emailaddress>",
family_name: "<familyname>",
given_name: "<givenname>",
idp: "live.com",
ipaddr: "<ipaddress>",
scp: "Calendars.Read Calendars.ReadWrite Contacts.Read Contacts.ReadWrite Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Files.Read Files.Read.Selected Files.ReadWrite Files.ReadWrite.Selected Group.Read.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read People.ReadWrite Sites.Read.All Sites.ReadWrite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All",
sub: "5je0Jdv8442iS3rLXa-3a7KWSiKCyBrq9Q0c0d4sbBY",
tid: "0e06e1f9-24b3-4026-8bd0-2a6c28937df1",
unique_name: "<uniquename>",
ver: "1.0"
}.
[signature]
Graph Request Response:
{
"error": {
"code": "BadRequest",
"message": "Missing UPN and PUID claims.",
"innerError": {
"request-id": "158c62f6-fece-4f64-bbb5-a1e691334daa",
"date": "2015-11-12T14:09:40"
}
}
}
Would love some help with this! Thanks ahead of time.
回答1:
Here are several points you can check for troubleshooting:
1, In your AD application panel, click USERS tab to check whether the user is in your Azure AD.
2, Please check whether the procedure of syncing up users is successfully from on-promise AD or Office 365 to Azure AD. You can login Azure portal using office 365 account, it will automatically be added in Azure AD by its first time login on Azure portal. Additionally, if you get something wrong or UPN has conflicts, you may encounter this error.
And you can try the following script in Powershell add your Application Service Principal and set the Role for your application:
#-----------------------------------------------------------
# This will add your Application Service Prinicpal to
# the Company Administrator role
#-----------------------------------------------------------
$msolcred=get-credential
connect-msolservice -credential $msolcred
$ClientIdWebApp = 'Your application client id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
You can refer to Manage Azure AD service principals for more information about how to user Azure AD Powershell.
Furthermore, you can refer to Deep Dive into the Office 365 Unified API for integrating office 365, and check the prerequisites as it mentioned at first section.
回答2:
Looks like you are trying to access using Application Identity. Application doesn't have Me endpoint. Also, you need to add Application Permissions to the app.
回答3:
Although the preview of the Microsoft Graph supports authenticating with Microsoft ID, as of January 2016, it does not currently support Microsoft ID authenticating via AAD using the altsecid claim. We are working on a fix for this.
来源:https://stackoverflow.com/questions/33676650/getting-bad-request-response-with-graph-microsoft-com-missing-upn-and-puid-clai