Azure active directory 无法访问/me/drive/root/children(或任何driveItem对象)
Microsoft Graph无法访问任何driveItem对象(即GET/me/drive/root/children) 我正在开发一个概念验证web应用程序,它(除其他外)可以从经过身份验证的用户处访问一些Excel工作簿(在SharePoint或OneDrive上) 它基于Microsoft教程[Build Node.js Express apps with Microsoft Graph],适用于大多数Ms Graph方面。 -最终用户的Azure AD身份验证() -在AAD门户中注册的应用程序(隐式授权:Azure active directory 无法访问/me/drive/root/children(或任何driveItem对象),azure-active-directory,microsoft-graph-api,Azure Active Directory,Microsoft Graph Api,Microsoft Graph无法访问任何driveItem对象(即GET/me/drive/root/children) 我正在开发一个概念验证web应用程序,它(除其他外)可以从经过身份验证的用户处访问一些Excel工作簿(在SharePoint或OneDrive上) 它基于Microsoft教程[Build Node.js Express apps with Microsoft Graph],适用于大多数Ms Graph方面。 -最终用户的Azure AD身份验证() -在AAD门户中注册
ID令牌
,Ms Graph的API权限包括文件.ReadWrite.All
和站点.ReadWrite.All
)
使用Microsoft Graph Explorer我们通过以下路径验证了对相关driveItem资源的API查询
-SharePoint的/drives//items/
和/shares//driveItem
-/me/drive/items/
用于OneDrive
但当从web应用程序运行时,所有这些API查询都会失败(而其他图形调用,如/me/
、/me/drive/
和/me/drive/root/
工作正常)
获取https://graph.microsoft.com/v1.0/drives//items/
获取https://graph.microsoft.com/v1.0/shares//driveItem
{
statusCode: 403,
code: 'accessDenied',
message: 'The caller does not have permission to perform the action.',
requestId: '1d3bba03-6c15-41f0-9de5-979ce42127b5',
date: 2019-09-18T08:46:37.000Z,
body:
'{"code":"accessDenied","message":"The caller does not have permission to perform the action.","innerError":{"request-id":"1d3bba03-6c15-41f0-9de5-979ce42127b5","date":"2019-09-18T10:46:37"}}' }
我很可能忽略了令牌是如何处理的,但我找不到什么。我终于找到了问题所在 如果在身份验证期间,应用程序未在其范围内指定这些权限,则在Azur广告门户内授予权限是无用的 在我的例子中,添加
文件.readwrite.all
解决了这个问题
在.env
OAUTH_SCOPES='profile files.readwrite.all mail.send user.read'
用于护照AAD:
import { IOIDCStrategyOptionWithoutRequest } from 'passport-azure-ad';
const oidcOptions: IOIDCStrategyOptionWithoutRequest = {
allowHttpForRedirectUrl: true,
clientID: oauthOptions.client.id,
clientSecret: oauthOptions.client.secret,
identityMetadata: `${oauthOptions.auth.tokenHost}${process.env.OAUTH_ID_METADATA}`,
loggingLevel: 'info',
passReqToCallback: false,
redirectUrl: process.env.OAUTH_REDIRECT_URI!,
responseMode: 'form_post',
responseType: 'code id_token',
scope: process.env.OAUTH_SCOPES!.split(' '),
validateIssuer: false,
};
您好,我如何在下面两个查询中获得{drive id}?我正在尝试使用图形读取数据。GET/drives/{drive id}/items/{item id}GET/drives/{drive id}/root:/{item path}
import { IOIDCStrategyOptionWithoutRequest } from 'passport-azure-ad';
const oidcOptions: IOIDCStrategyOptionWithoutRequest = {
allowHttpForRedirectUrl: true,
clientID: oauthOptions.client.id,
clientSecret: oauthOptions.client.secret,
identityMetadata: `${oauthOptions.auth.tokenHost}${process.env.OAUTH_ID_METADATA}`,
loggingLevel: 'info',
passReqToCallback: false,
redirectUrl: process.env.OAUTH_REDIRECT_URI!,
responseMode: 'form_post',
responseType: 'code id_token',
scope: process.env.OAUTH_SCOPES!.split(' '),
validateIssuer: false,
};