更新时间:2021-08-27 23:00:17
在评论中进行了不那么简短的讨论后,问题得以解决.
After a not-so-short discussion in the comments the issue was resolved.
讨论的重点:
https://graph.microsoft.com
的aud
声明,这意味着该令牌用于Microsoft Graph API,而不是其API api://25f66106-edd6-4724-ae6f-3a204cfd9f63/access_as_user
scope
来请求访问令牌
aud
claim with the value of https://graph.microsoft.com
, which means the token is meant for the Microsoft Graph API, not their APIscope
similar to: api://25f66106-edd6-4724-ae6f-3a204cfd9f63/access_as_user
因此,请确保aud
声明包含您的API的客户端ID或应用ID URI.这意味着它适用于您的API.
So make sure that the aud
claim contains the client ID or app ID URI for your API. That means it is meant for your API.
令牌还需要包含必要的范围.
The token also needs to contain the necessary scopes.
从AAD请求访问令牌时,请确保指定正确的范围.
When asking for an access token from AAD, make sure you specify the correct scopes.
此外,如果您使用的是v1端点,请确保使用ADAL,而不是MSAL.在v1中,也必须使用resource
(而不是范围),resource
的值必须设置为API的客户端ID或应用ID URI.
Also, if you are using the v1 endpoints, make sure to use ADAL, not MSAL. In v1 also instead of scope, you have to use resource
, which must have a value set to either the client ID or app ID URI of the API.