我正在尝试在 Azure Functions 上使用新的 Microsoft Graph 绑定(bind)功能,因此我遵循 this article (使用clientCredentials):
Azure AD 应用程序已注册良好,但是,在调用该函数时,我收到以下错误:
{
"error": "unauthorized_client",
"error_description": "AADSTS70001: Application with identifier 'ba8b3444-403f-4472-aba3-0407c563dd28' was not found in the directory microsoft.com\r\nTrace ID: 76a06d59-43a5-4862-9a1e-7864121c2200\r\nCorrelation ID: f511ce93-d6e3-40f2-8427-a3af0b89750d\r\nTimestamp: 2017-11-20 10:11:41Z",
"error_codes": [70001],
"timestamp": "2017-11-20 10:11:41Z",
"trace_id": "76a06d59-43a5-4862-9a1e-7864121c2200",
"correlation_id": "f511ce93-d6e3-40f2-8427-a3af0b89750d"
}
正如我所说,应用程序 ID 是正确的,并且已在我的 Azure AD 目录中注册(具有正确的权限)。为什么在尝试获取 token 时使用 microsoft.com 目录?!!
这是我的函数 C# 代码(仅返回 token ):
public static async Task<string> Run(HttpRequestMessage req, string graphToken, TraceWriter log)
{
log.Info("C# HTTP trigger function processed a request.");
return graphToken;
//HttpClient client = new HttpClient();
//client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", graphToken);
//return await client.GetAsync("https://graph.microsoft.com/v1.0/groups");
}
这是我的 _function.json`
{
"bindings": [
{
"name": "req",
"type": "httpTrigger",
"direction": "in",
"authLevel": "anonymous",
"methods": [
"get"
]
},
{
"name": "graphToken",
"type": "token",
"direction": "in",
"resource": "https://graph.microsoft.com",
"identity": "ClientCredentials"
},
{
"name": "$return",
"type": "http",
"direction": "out"
}
],
"disabled": false
}
最佳答案
这是一个已知问题,我们认为是由使用公共(public)端点而不是专用租户进行绑定(bind)引起的。我不确定为什么公共(public)端点的默认行为是使用 Microsoft 租户,但我可以通过针对公共(public)端点手动执行流程来在任何租户中重现该问题。
我刚刚意识到我们的 GitHub 存储库上没有跟踪该问题,因此我创建了一个新项目:https://github.com/Azure/azure-functions-microsoftgraph-extension/issues/25
修复的预计时间尚未确定,但团队将致力于解决该问题。
关于Azure Functions/Microsoft Graph 绑定(bind)未获取 token (clientCredentials),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47389788/