1
我想通过微软图拉取经过身份验证的azure活动目录用户的办公室位置,但不断收到403 Forbidden响应。当从一个dotnet核心应用程序访问Microsoft Graph时禁止403
我能够进行身份验证,我可以生成一个访问令牌,但HTTP响应状态代码始终是403
下面是一些代码,我一直在使用,但我有一种感觉,可能是由于配置或权限,请让我知道你需要什么额外的信息。
public class AccountService : IAccountService
{
private readonly AzureAd _adSettings;
public AccountService(IOptions<AzureAd> adSettings)
{
_adSettings = adSettings.Value;
}
public async Task<string> GetStoreIdFromUser(string userId)
{
var storeId = string.Empty;
string accessToken = await GetBearerAccesToken();
using (var client = new HttpClient())
{
using (var request = new HttpRequestMessage(HttpMethod.Get, GetUserUrl(userId)))
{
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
using (var response = await client.SendAsync(request))
{
if (response.StatusCode == HttpStatusCode.OK)
{
var json = JObject.Parse(await response.Content.ReadAsStringAsync());
storeId = json?["physicalDeliveryOfficeName"]?.ToString();
}
}
}
}
return storeId;
}
#region private methods
private string GetUserUrl(string userPrincipalName)
{
return string.Format("https://graph.windows.net/{0}/users/{1}?{2}", _adSettings.TenantId, userPrincipalName, "api-version=1.6");
}
private async Task<string> GetBearerAccesToken()
{
string result = string.Empty;
// Get OAuth token using client credentials
string authString = "https://login.microsoftonline.com/" + _adSettings.TenantId;
AuthenticationContext authenticationContext = new AuthenticationContext(authString, false);
// Config for OAuth client credentials
ClientCredential clientCred = new ClientCredential(_adSettings.ClientId, _adSettings.AppKey);
string resource = "https://graph.windows.net";
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(resource, clientCred);
result = authenticationResult.AccessToken;
return result;
}
#endregion
}
你试图访问微软图表或Azure的AD图? –
应该是Microsoft Graph。我在我的AD应用程序注册中添加了该权限。 –
403意思是“我知道你是谁,但你不能访问这个东西。”在https://jwt.io检查令牌,并查看受众群体声明(aud)是Microsoft Graph资源URI('https:// graph.microsoft.com'),并且必需的角色位于令牌中。 – juunas