我指的是Multitenant-saas-app示例。我尝试获取访问令牌以访问Graph API,然后以静默方式访问令牌并再次访问图形API。AzureAD multiteenant app - “Authorization_RequestDenied”:“没有足够的权限来完成操作
获取授权码与用于多租户应用内/公共端点,
private string resourceID = "https://graph.windows.net";
string authorizationRequest = String.Format(
"https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={0}&resource={1}&redirect_uri={2}&state={3}",
Uri.EscapeDataString(ConfigurationManager.AppSettings["ida:ClientID"]),
Uri.EscapeDataString("https://graph.windows.net"),
Uri.EscapeDataString(this.Request.Url.GetLeftPart(UriPartial.Authority).ToString() + "/Onboarding/ProcessCode"),
Uri.EscapeDataString(stateMarker)
);
return new RedirectResult(authorizationRequest);
与授权码重定向,(/入职培训/ ProcessCode)
ClientCredential credential = new ClientCredential(ConfigurationManager.AppSettings["ida:ClientID"],
ConfigurationManager.AppSettings["ida:Password"]);
AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/common/");
//Get token to access grapgh API
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(Request.Url.GetLeftPart(UriPartial.Path)), credential, resourceID);
AuthenticationHelper.token = result.AccessToken;
这工作正常,我得到访问令牌,我可以访问租户的AzureAD资源。
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IPagedCollection<IUser> pagedCollection = await client.Users.ExecuteAsync();
现在我尝试从令牌缓存中获取离线访问令牌。这次我为租户创建了AuthenticationContext。 (我也试过/共同点) 这让我默默地接受了一个新的accesstoken。
string resourceID = "https://graph.windows.net";
//Test
ClientCredential credential = new ClientCredential(ConfigurationManager.AppSettings["ida:ClientID"],
ConfigurationManager.AppSettings["ida:Password"]);
AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/mytenant.net");
var auth = await authContext.AcquireTokenAsync(resourceID, credential);
var newToken = auth.AccessToken;
//Set the token for this session
AuthenticationHelper.token = auth.AccessToken;
然后我尝试访问该API,以前,
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IPagedCollection<IUser> pagedCollection = await client.Users.ExecuteAsync();
,我得到下面的异常,
错误= “Authorization_RequestDenied”:“特权才能 不足完成操作“。
我在这里做错了什么吗?
这里是我的应用程序的权限,
当您使用多租户应用程序时,租户管理员需要授予对应用程序的访问权限。也许这就是问题所在?是否有任何进一步的错误消息细节? – RasmusW