5

尝试使用 Graph API 创建应用程序时,我从 Azure AD 收到 403 Forbidden 响应:

private static void CreateApplicationViaPost(string tenantId, string clientId, string clientSecret)
{
    var authContext = new AuthenticationContext(
        string.Format("https://login.windows.net/{0}",
        tenantId));

    ClientCredential clientCred = new ClientCredential(clientId, clientSecret);

    AuthenticationResult result = authContext.AcquireToken(
        "https://graph.windows.net",
        clientCred);

    HttpClient client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

    const string json = @"{ displayName: ""My test app"", logoutUrl: ""http://logout.net"", identifierUris: [ ""http://identifier1.com"" ], replyUrls: [ ""http://replyUrl.net"" ] }";
    HttpResponseMessage response = client.PostAsync(
        string.Format("https://graph.windows.net/{0}/applications?api-version=1.6", tenantId),
        new StringContent(json, Encoding.UTF8, "application/json")).Result;

    Console.WriteLine(response.ToString());
}

在 Azure AD 中注册的客户端拥有所有权限: Azure AD 中的权限

我错过了什么?

编辑: 我在 Azure AD 中注册了一个本机客户端,并授予它写入 Windows Azure Active Directory 的权限。此代码在 Azure AD 中创建一个应用程序:

private static void CreateApplicationViaPost(string tenantId, string clientId, string redirectUri)
        {
            var authContext = new AuthenticationContext(
                string.Format("https://login.windows.net/{0}",
                tenantId));

            AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", clientId, new Uri(redirectUri), PromptBehavior.Auto);

            HttpClient client = new HttpClient();
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

            const string json = @"{ displayName: ""My test app1"", homepage: ""http://homepage.com"", logoutUrl: ""http://logout1.net"", identifierUris: [ ""http://identifier11.com"" ], replyUrls: [ ""http://replyUrl1.net"" ] }";
            HttpResponseMessage response = client.PostAsync(
                string.Format("https://graph.windows.net/{0}/applications?api-version=1.6", tenantId),
                new StringContent(json, Encoding.UTF8, "application/json")).Result;

            Console.WriteLine(response.ToString());
        }
4

3 回答 3

5

修改目录需要管理员用户的同意。因此,您需要从用户那里获取访​​问令牌,例如通过 OAuth,而不是客户端的令牌。

GitHub 上有很多示例展示了授权流程,例如https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet

于 2015-07-31T06:49:15.750 回答
3

添加到@MrBrink 的答案 - 您需要确保在 Azure Active Directory UI 中添加权限的人实际上是管理员。如果您有权访问 Azure Active Directory 并且不是管理员,它仍将允许您分配权限 - 但是它们仅适用于用户范围。

于 2015-12-28T21:52:54.887 回答
2

另一种方法是使用ActiveDirectoryClientNuGetMicrosoft.Azure.ActiveDirectory.GraphClient包中的 。

private static async Task CreateApplication(string tenantId, string clientId,
    string redirectUri)
{
    var graphUri = new Uri("https://graph.windows.net");
    var serviceRoot = new Uri(graphUri, tenantId);
    var activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,
        async () => AcquireTokenAsyncForUser("https://login.microsoftonline.com/" + tenantId,
            clientId, redirectUri));

    var app = new Application
        {
            Homepage = "https://localhost",
            DisplayName = "My Application",
            LogoutUrl = "https://localhost",
            IdentifierUris = new List<string> { "https://tenant.onmicrosoft.com/MyApp" },
            ReplyUrls = new List<string> { "https://localhost" }
        };

    await activeDirectoryClient.Applications.AddApplicationAsync(app);

    Console.WriteLine(app.ObjectId);
}

private static string AcquireTokenAsyncForUser(string authority, string clientId,
    string redirectUri)
{
    var authContext = new AuthenticationContext(authority, false);
    var result = authContext.AcquireToken("https://graph.windows.net",
        clientId, new Uri(redirectUri), PromptBehavior.Auto);

    return result.AccessToken;
}
于 2015-07-31T23:26:40.530 回答