1. 技术文章
  2. Can application in public cloud be authorized to fetch data from government tenant via graph api?

Can application in public cloud be authorized to fetch data from government tenant via graph api?

隐身守侯 提交于 2020-12-13 05:05:35

问题


I'm trying to fetch email list from government tenant via graph api and it worked fine until last week. I'm using client credentials flow. Last week i started to get the following error when trying to authorize my app in government tenants:

oauthlib.oauth2.rfc6749.errors.InvalidClientIdError: (invalid_request) AADSTS900441: Requests to applications hosted in the public cloud are not supported for USGov tenants.

Is there a way to authorize application from public azure cloud to read data from government tenant?

EDIT: code example and debug logs

    from oauthlib.oauth2 import BackendApplicationClient
    
    client = BackendApplicationClient(client_id=config.CLIENT_ID)
    MSGRAPH = requests_oauthlib.OAuth2Session(
        client=client
    )
    
    token = MSGRAPH.fetch_token(
        'https://login.microsoftonline.us' + '/<tenant>' + config.TOKEN_ENDPOINT,
        client_id=config.CLIENT_ID,
        client_secret=config.CLIENT_SECRET,
        include_client_id=True,
        scope=['https://graph.microsoft.us/.default'])

    endpoint = config.RESOURCE + config.API_VERSION + '/users'
    graphdata = MSGRAPH.get(endpoint).json()

DEBUG:requests_oauthlib.oauth2_session:Requesting url https://login.microsoftonline.us/<tenant-id>/oauth2/v2.0/token using method POST.
DEBUG:requests_oauthlib.oauth2_session:Supplying headers {u'Content-Type': u'application/x-www-form-urlencoded;charset=UTF-8', u'Accept': u'application/json'} and data {u'client_secret': u'...', u'grant_type': u'client_credentials', u'client_id': u'...', u'scope': u'https://graph.microsoft.us/.default'}
DEBUG:requests_oauthlib.oauth2_session:Passing through key word arguments {'verify': True, 'json': None, 'proxies': None, 'timeout': None, 'auth': None}.
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): login.microsoftonline.us:443
DEBUG:urllib3.connectionpool:https://login.microsoftonline.us:443 "POST /<tenant-id>/oauth2/v2.0/token HTTP/1.1" 400 522
DEBUG:requests_oauthlib.oauth2_session:Prepared fetch token request body grant_type=client_credentials&client_id=...&client_secret=...&scope=https%3A%2F%2Fgraph.microsoft.us%2F.default
DEBUG:requests_oauthlib.oauth2_session:Request to fetch token completed with status 400.

Basically i see this error when i'm trying to fetch access token. Adminconsent was already given to my application by tenant admin. This code worked for Gov tenants for month or so and suddenly stopped to work.


回答1:


AAD started enforcing this about a month ago, GCC High/DoD tenants cannot use confidential apps published in commercial cloud. You need to publish your app from a GCC High/DoD tenant.



来源:https://stackoverflow.com/questions/64229652/can-application-in-public-cloud-be-authorized-to-fetch-data-from-government-tena

标签
azure-gov
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!