Microsoft Graph無法列出目錄文件

Question

當試圖在Microsoft圖表中列出「我」的目錄項時，我收到400錯誤請求，並顯示以下錯誤消息：「缺少必要的用戶聲明。」

重現步驟：

1. 通過Application Registration Tool創建應用程序，授予權限Files.Read

2. 使用創建客戶端ID和客戶端密鑰來獲得令牌（以下其guide）捲曲：

   curl -X POST -H "Cache-Control: no-cache" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<client-id>&client_secret=<client-secret>=&resource=https://graph.microsoft.com' "https://login.microsoftonline.com/<my-tenant-id>/oauth2/token"

3. 使用創建的<Access-Token>來製作一個要求列出根目錄像（捲曲）：

   curl -X GET -H "Authorization: Bearer <Access-Token>" -H "Cache-Control: no-cache" "https://graph.microsoft.com/v1.0/me/drive/root/children"

獲取響應：

400 Bad Request 
{ 
    "error": { 
    "code": "BadRequest", 
    "message": "Missing necessary user claims.", 
    "innerError": { 
     "request-id": "36c384f4-1810-4d96-ad69-d69a67d11ece", 
     "date": "2016-05-31T14:39:05" 
    } 
    } 
} 

任何幫助，將不勝感激

Answer 1

在你的榜樣，你只認證該應用程序（稱爲「僅應用程序身份驗證」，或者，參考OAuth 2.0流程，稱爲「客戶端證書授予」流程）。但是，您的請求特別提及用戶（.../me/...），即您。

對用戶進行身份驗證和授權的最常見（也是最完整的）方式是調用授權碼授予流程，以獲取的應用程序和用戶的訪問令牌。在此流程結束時獲取的訪問令牌將包含有關登錄用戶的聲明，並允許Microsoft Graph知道您指的是「我」。從the docs：

To get your app authorized, you must get the user authenticated first. You do this by redirecting the user to the Azure Active Directory (Azure AD) authorization endpoint, along with your app information, to sign in to their Office 365 account. Once the user is signed in, and consents to the permissions requested by your app (if the user has not done so already), your app will receive an authorization code required to acquire an OAuth access token.

一些更多的閱讀：

• Microsoft Graph app authorization
• MSDN: Authorization Code Grant Flow
• RFC 6749: 4.1 Authorization Code Grant