我使用以下java代码通过使用MSAL4J库在Azure Active directory中创建用户。
HttpPost create = null;
HttpGet getRequest = null;
HttpClient client = null;
HttpResponse response = null;
IAuthenticationResult result = null;
PublicClientApplication pca = PublicClientApplication.builder("client_id")
.authority("https://login.microsoftonline.com/{tenant_id}/").build();
Set<String> scope = new HashSet<>();
scope.add("User.ReadWrite.All");
scope.add("User.ReadWrite");
scope.add("Directory.ReadWrite");
scope.add("Directory.ReadWrite.All");
UserNamePasswordParametersBuilder parameters = UserNamePasswordParameters.builder(scope,
"administrator@xxxxxxxx.onmicrosoft.com", "xxxxxxxx".toCharArray());
try {
result = pca.acquireToken(parameters.build()).join();
} catch (Exception e) {
e.printStackTrace();
}
StringEntity inputJSONStringEntity = new StringEntity(
"{"passwordProfile":{"password":"User120222"},"country":"India","city":"Mumbai","displayName":"User1","companyName":"companyName","givenName":"User1","jobTitle":"Developer","accountEnabled":true,"streetAddress":"St1","surname":"User1","state":"MH","department":"ESE","userPrincipalName":"User1@xxxxxxxx.onmicrosoft.com","mailNickname":"User1"}");
client = HttpClientBuilder.create().build();
create = new HttpPost("https://graph.microsoft.com/v1.0/users");
create.addHeader("Content-Type", "application/json");
create.addHeader("Authorization", "Bearer" + result.accessToken());
create.setEntity(inputJSONStringEntity);
response = client.execute(create);
能够使用PublicClientApplication和UserNamePasswordParameters获得令牌,但在执行请求后仍获得以下响应:
HttpResponseProxy{HTTP/1.1 401 Unauthorized [Transfer-Encoding: chunked, Content-Type: application/json, Vary: Accept-Encoding, Strict-Transport-Security: max-age=31536000, request-id: d3f08ea0-ee39-41fd-8f41-338392697300, client-request-id: d3f08ea0-ee39-41fd-8f41-338392697300, x-ms-ags-diagnostic: }, WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", Date: Fri, 17 Jun 2022 06:05:59 GMT] org.apache.http.client.entity.DecompressingEntity@1e127982}
{"aud": "00000003-0000-0000-c000-000000000000",
"scp": "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Directory.Write.Restricted DirectoryRecommendations.Read.All DirectoryRecommendations.ReadWrite.All Files.Read Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All Files.ReadWrite.AppFolder Files.ReadWrite.Selected RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.ReadWrite.Directory RoleManagementPolicy.Read.Directory RoleManagementPolicy.ReadWrite.Directory User.Export.All User.Invite.All User.ManageIdentities.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All profile openid email"}
是否有人可以帮助解决这个问题,或者任何建议都是感激的。
感谢如果令牌中没有包含适当的权限,通常会发生401未授权错误。由于使用了不正确的端点作用域,令牌可能不包含所有权限。因为作用域通常与v2端点一起使用。
您可以看到错误中的授权url是authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize,这显然是v1端点。
请注意v1端点必须与resource一起请求参数,不给出作用域:如下所示:
resource=https://graph.microsoft.com/
如果你有要提到的作用域,你可能需要使用v2端点:授权URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
授权令牌URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
和作用域必须有/.default值如:scope:{clientId}/.default或您给出的范围。
注意:v2端点不使用资源参数,这里是作用域是有效的
参考:azure-ad-endpoint-comparison