我的 Azure AD 应用程序公开范围Roles.ReadWrite.All(委派权限(。现在我想使用机器对机器通信,所以我需要公开应用程序权限。从官方文档如何:在应用程序中添加应用角色并在令牌中接收它们,我创建了一个AppRoles。现在,我可以为该应用程序提供另一个应用程序Application permission。
但问题是,我想对Application Permission和Delegated Permission使用相同的值,因为Microsoft已经在他们的Microsoft Graph应用程序的AccessReview.Read.All许可下这样做了。但是当我想创建appRoles时,它会显示一个错误 -
Failed to update Backend API application. Error detail: It contains duplicate value. Please Provide unique value. []
如果我保持appRoles和oauth2Permissions的 id、描述和显示名称相同,我只能创建相同的权限值。但是Microsoft Graph使用的是两个不同的 ID 但相同的value!
...
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "ebfcd32b-babb-40f4-a14b-42706e83bd28", // AccessReview.Read.All
"type": "Scope"
},
{
"id": "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa", // AccessReview.Read.All
"type": "Role"
}
]
},
{
"resourceAppId": "96954c3d-fbb4-4899-be79-582b810acb7b",
"resourceAccess": [
{
"id": "fbeb72c6-dfcb-45b6-b83a-db2929314e70",
"type": "Scope"
},
{
"id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
"type": "Scope"
},
{
"id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
"type": "Role"
}
]
}
],
...
如上面的Manifest片段所示,Graph API的AccessReview.Read.All有两种不同的idDelegated和Application权限,其中我的Roles.ReadWrite.All具有相同的 ID,因此具有相同的Display Name和Description
恐怕目前不支持您需要的内容。
正如您已经测试过的,如果我们对"AppRoles"和"OAuth2Permission"使用相同的值,它将显示此错误:它包含重复值。请提供唯一值。
当我们为"AppRoles"和"OAuth2Permission"设置相同的ID时,我们将需要为(description,adminConsentDescription(,(displayName,adminConsentDisplayName(,(isEnabled,isEnabled(,(origin,origin(,(value,value(设置相同的值。
在这种情况下,我们可以说我们得到了"AppRoles"和"OAuth2Permission"的相同对象。但这不会影响您的使用。访问令牌可以返回正确的委派权限或应用程序权限。
我不明白,Microsoft如何为其Microsoft Graph应用程序定义相同的值?
示例应用程序角色值与范围值相同
应用角色:
{
"allowedMemberTypes": [
"Application"
],
"description": "Allows the app to read and update user profiles without a signed in user.",
"displayName": "Read and write all users' full profiles",
"id": "741f803b-c850-494e-b5df-cde7c675a1ca",
"isEnabled": true,
"origin": "Application",
"value": "User.ReadWrite.All"
},
Scope value:
{
"adminConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
"adminConsentDisplayName": "Read and write all users' full profiles",
"id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4",
"isEnabled": true,
"type": "Admin",
"userConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
"userConsentDisplayName": "Read and write all users' full profiles",
"value": "User.ReadWrite.All"
},