无效受众:无法通过 Azure 逻辑应用程序列出联合 Sharepoint Online

问题描述 投票:0回答:1

背景

我们的租户中有一个逻辑应用程序,由 blob 存储中存在某些文件触发,必须将它们复制到客户的 Sharepoint Online。它基本上是一个用于相互数据交换的放置文件夹(是的,我们将在下一集从 Sharepoint 中挑选文件)。

我们在 Azure 逻辑应用程序中创建了一个简单的任务来列出 Sharepoint 文件。它的配置是为了在运行时通过参数映射要扫描的站点 URL 和文件夹。

GUI model

{
    "inputs": {
        "host": {
            "connection": {
                "name": "@parameters('$connections')['sharepointonline_1']['connectionId']"
            }
        },
        "method": "get",
        "path": "/datasets/@{encodeURIComponent(encodeURIComponent(triggerBody()?['SiteAddress']))}/tables/@{encodeURIComponent(encodeURIComponent(triggerBody()?['LibraryName']))}/getfileitems",
        "queries": {
            "folderPath": "@triggerBody()?['FolderPath']",
            "viewScopeOption": "Default"
        }
    }
}

当我们在 Sharepoint 上在线测试时(例如 

SiteUrl
https://contoso.sharepoint.com
,它可以与我们的 API 连接配合使用)。

当我们需要到达客户的 Sharepoint 时,我们将指向类似 

https://acme.sharepoint.com
的内容,并且连接 API 中的用户 (
[email protected]
) 已被外国公司的 IT 部门授权为作为访客用户 AD Online 访问 Sharepoint Online。

问题

当我们在客户的 Sharepoint 上运行逻辑应用程序时,由于身份验证错误而失败

输入参数:

{
    "headers": {
        "Connection": "Keep-Alive",
        "Expect": "100-continue",
        "Host": "prod-238.westeurope.logic.azure.com",
        "Content-Length": "241",
        "Content-Type": "application/json"
    },
    "body": {
        "BlobPath": "/readme.txt", #blob storage pattern
        "SiteAddress": "https://acme.com/sites/example",
        "SiteRootFolder": "foo", #blob storage folder
        "LibraryName": "bar", #sharepoint library
        "FolderPath": "spam" #sharepoint folder
    }
}

根据这些参数(已编辑),“获取文件(仅限属性)”步骤的结果是:未经授权

输入

{
    "method": "get",
    "queries": {
        "folderPath": "spam",
        "viewScopeOption": "Default"
    },
    "path": "/datasets/https%253A%252F%252Facme.sharepoint.com%252Fsites%252Fexample/tables/bar/getfileitems",
    "host": {
        "connection": {
            "name": "/subscriptions/0000000000000000000000/resourceGroups/example/providers/Microsoft.Web/connections/sharepointonline"
        }
    }
}

输出:

{
    "statusCode": 401,
    "headers": {
        "x-ms-diagnostics": "3000003;reason=\"Invalid audience Uri 'https://acme.sharepoint.com/'.\";category=\"invalid_client\"",
        "SPRequestGuid": "985ae0eb-e96a-4484-8f02-056c7718fa6f",
        "request-id": "985ae0eb-e96a-4484-8f02-056c7718fa6f",
        "MS-CV": "6+BamGrphESPAgVsdxj6bw.0",
        "Strict-Transport-Security": "max-age=31536000",
        "X-FRAME-OPTIONS": "SAMEORIGIN",
        "Content-Security-Policy": "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com;",
        "SPRequestDuration": "12",
        "SPIisLatency": "1",
        "MicrosoftSharePointTeamServices": "16.0.0.21924",
        "X-Content-Type-Options": "nosniff",
        "X-MS-InvokeApp": "1; RequireReadOnly",
        "Timing-Allow-Origin": "*",
        "x-ms-apihub-cached-response": "false",
        "Cache-Control": "private",
        "Date": "Fri, 10 Dec 2021 11:02:29 GMT",
        "P3P": "CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI\"",
        "WWW-Authenticate": "Bearer realm=\"d9dbc877-29e4-4473-9855-d3db78ae431b\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000001-0000-0000-c000-000000000000@*,D3776938-3DBA-481F-A652-4BEDFCAB7CD8@*,https://sts.windows.net/*/,00000003-0000-0ff1-ce00-000000000000@90140122-8516-11e1-8eff-49304924019b\",authorization_uri=\"https://login.windows.net/common/oauth2/authorize\"",
        "X-Powered-By": "ASP.NET",
        "Content-Length": "130",
        "Content-Type": "application/json"
    },
    "body": {
        "error_description": "Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
    }
}

调查

我尝试阅读这个问题,但它看起来像是较低级别的编程。我们正在使用独立验证自身身份的Azure逻辑应用程序。我们不会使用 C# 等语言进行编码来管理应用程序身份验证

我尝试阅读这篇文章,但前端都略有改变,我们已经三重检查连接是否正确,并且

[email protected]
可以访问ACME共享点

从错误来看,Azure 逻辑应用程序尝试从 Microsoft Online 获取 JWT 令牌,其受众 (

aud
) 是 
https://acme.sharepoint.com
,这应该是正确的,但 Sharepoint 拒绝它,声称是不良受众.

在 OAuth/JWT 中,当受众与自身不匹配时,资源服务拒绝令牌是正常的。

问题

为什么Sharepoint Online拒绝身份验证?

我们无法了解国外的用户配置,但是我很乐意向其他IT人员提出正确的问题

azure sharepoint azure-active-directory jwt azure-logic-apps
1个回答
0
投票

这个问题你得到答案了吗? 逻辑应用中的 SharePoint 连接器代码似乎不处理非家庭租户连接,但文档中没有任何地方表明这是一个相当严重的问题。 我在这里错过了什么吗?

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.