Authorization_IdentityNotFound 错误 MS Graph API错误、Authorization_IdentityNotFound、MS、API

2023-09-06 17:27:35 作者:粉色蔷薇

我们的应用程序将执行简单的 User.ReadBasic.All 功能,据我了解,这些功能不需要管理员权限.使用此处记录的流程:

Our application is going to do simple User.ReadBasic.All functions, which from what I understand do not require Admin permissions. Using the flow documented here: https://graph.microsoft.io/en-us/docs/authorization/app_only

         POST https://login.microsoftonline.com/{tenantId}/oauth2/token              HTTP/1.1
         Content-Type: application/x-www-form-urlencoded

         grant_type=client_credentials
         &client_id=<clientId>
         &client_secret=<clientSecret>
         &resource=https://graph.microsoft.com
使用Identity Server 4建立Authorization Server 6 js angular5 客户端

I am able to get a valid access token, however when calling the graph the following error message is returned:

         "code": "Authorization_IdentityNotFound",  "The identity of the calling application could not be established." 

We have set up our app in the management console to have User.ReadAll.Basic permissions, and what is interesting is that I do get a successful result back from the API when I use my own credentials/token cache to spin up a ConfidentialClientApplication instance with the appId and secret and call AcquireTokenSilentAsync for the token:

      string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
        tokenCache = new SessionTokenCache(
            signedInUserID, 
            HttpContext.Current.GetOwinContext().Environment["System.Web.HttpContextBase"] as HttpContextBase);

        ConfidentialClientApplication cca = new ConfidentialClientApplication(
            appId, 
            redirectUri,
            new ClientCredential(appSecret), 
            tokenCache);

But we are creating a stateless, headless service that is going to have no user interaction and thus ideally we don't want to reply on user credentials and token cache to retrieve the access token. I’m not sure why one scenario works and the other is returning the IdentityNotFound error and any advice you have is welcome.

解决方案

which from what I understand do not require Admin permissions.

AFAIK,When using client credentials flow ,we need to set application permission to app , delegate permissions are used for delegated flow .

You could try below code to get users using ADAL :

        string authority = "https://login.microsoftonline.com/a703965c-e057-4bf6-bf74-1d7d82964996";
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
        var result= await authenticationContext.AcquireTokenAsync("https://graph.microsoft.com", new ClientCredential("clientid", "clientsecret"));


        string sURL = "https://graph.microsoft.com/v1.0/users";

        WebRequest request1 = WebRequest.Create(sURL);
        request1.Method = "GET";
        request1.Headers.Add("Authorization", "Bearer " + result.AccessToken);
        HttpWebResponse response1 = (HttpWebResponse)request1.GetResponse();
        if (response1.StatusCode == HttpStatusCode.OK)
        {
            // some code
        }

You could set "Read all users' full profiles" application permission for Microsfot Graph(for testing):