我正在尝试对具有应用程序级权限的 Azure 应用进行身份验证。所有权限均由管理员授予,并且应用同时具有客户端 ID 和客户端密码。我正在根据图中的守护程序 api 文档运行以下代码Microsoft:
import msal
config = {
"authority": "https://login.microsoftonline.com/organizations",
"client_id": CLIENT_ID,
"scope": ["https://graph.microsoft.com/.default"],
"redirect_uri": REDIRECT_URI,
"client_secret": CLIENT_SECRET
}
app = msal.ConfidentialClientApplication(
config["client_id"], authority=config["authority"],
client_credential=config["client_secret"] )
result = app.acquire_token_silent(config["scope"], account=None)
import logging
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"])
如果我打印result,它会说以下内容:
{'error': 'unauthorized_client',
'error_description': "AADSTS700016: Application with identifier [IDENTIFIER] was not found in the directory 'microsoft.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.rnTrace ID: [TRACE ID]rnCorrelation ID: [CORRELATION ID]rnTimestamp: 2019-08-28 17:14:39Z",
'error_codes': [700016],
'timestamp': '2019-08-28 17:14:39Z',
'trace_id': [TRACE ID],
'correlation_id': [CORRELATION ID],
'error_uri': 'https://login.microsoftonline.com/error?code=700016'}
该应用程序已经存在了几天,正如我所提到的,它的所有权限都由管理员授权。为什么我仍然收到"未经授权"错误?我检查了我的ID和秘密,它们是正确的。
我想知道这是否与错误消息说它被发送到microsoft.com目录的事实有关?但我提供的唯一微软信息是authority和scopeAPI 说需要按原样。我没有看到任何地方可以提供目录 ID。这可能是问题所在吗?如果是这样,我将如何纠正它?
配置中的权限字段应该是
https://login.microsoftonline.com/<directory_id>