我在 Angular 中使用隐式授予工作流和 microsoft-adal-angular6 库对我的应用程序中的用户进行身份验证,然后获取访问 Microsoft Graph 的令牌。
身份验证部分正在工作。
我可以通过库从 AAD 获取令牌。但是,当我尝试通过客户端(和通过 http)查询图形时,我收到了无效的受众错误消息(http 查询仅对 401 的帮助稍小)。
statusCode: 401
code: "InvalidAuthenticationToken"
message: "Access token validation failure. Invalid audience."
requestId: "157c3867-3ac6-41e7-aa79-fbd6cc466c4f"
date: Tue Mar 03 2020 23:18:44 GMT-0700 (Mountain Standard Time) {}
body: "{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"request-id":"157c3867-3ac6-41e7-aa79-fbd6cc466c4f","date":"2020-03-03T23:18:44"}}"
__proto__: Object`
在这里,我设置了我的 ADAL 服务:
`adalConfig = {
tenant: AppConfig.settings.aad.tenant,
clientId: AppConfig.settings.aad.clientId,
redirectUri: AppConfig.settings.aad.redirectUri,
endpoints: AppConfig.settings.aad.apiEndpoint,
navigateToLoginRequestUrl: false,
cacheLocation: AppConfig.settings.aad.cacheLocation
};`
json:
"aad": {
"requireAuth": true,
"apiEndpoint": {
"https://localhost:44371": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"https://graph.microsoft.com/v1.0/": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"resource": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"redirectUri": "http://localhost:4200/frameredirect/",
"cacheLocation": "sessionStorage",
"vospEndpoint": "https://localhost:44371",
"graphEndpoint": "https://graph.microsoft.com/v1.0/",
"vospAADGroup": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"clientSecret": "",
"scopes": [
"GroupMember.Read.All"
]
}}`
我为图形端点获取令牌的调用:
private async getAccessToken(): Promise<string> {
const resource = this.adalService.GetResourceForEndpoint(AppConfig.settings.aad.graphEndpoint);
let result = await this.adalService.acquireToken(resource).toPromise().then((token:string) => {return token;}).catch(error => {return error;});
if(result) console.log(result);
return result;
这是我调用 init 图形客户端并调用 api 的代码:
let graphClient = await Client.init({
authProvider: async(done) => {
let token = await this.getAccessToken()
.catch((reason) => {
done(reason,null);
});
if(token) {
done(null, token);
} else {
done("Could not get an access token", null);
}
}
});
let aadGroupId = AppConfig.settings.aad.vospAADGroup;
let loggedInUser = this.adalService.LoggedInUserEmail;
let graphUser2 = await graphClient.api("/users/" + loggedInUser + "/memberOf?").filter("id eq '" + aadGroupId + "'").get().catch(error => {return error});
Azure 上的插槽已配置为授予以下 Graph API 范围:
Microsoft Graph (8)
Directory.AccessAsUser.all Delegated Access directory as the signed in user
Directory.Read.all Application Read directory data
Group.Read.All Delegated Read all groups
Group.Read.all Application Read all groups
User.Read Delegated Sign in and read user profile
User.Read.All Delegated Read all users' full profiles
User.Read.All Application Read all users' full profiles
User.ReadBasic.All Delegated Read all users' basic profiles
我对图表的调用因令牌受众而被拒绝。如何使用 ADAL.js 的 microsoft-adal-angular6 包装器为令牌指定正确的受众和范围?