我正在尝试脚本在Azure AD中添加权限,我出于某种原因得到403。
这是命令:
az ad app permission grant --id 934b23f2-ab55-4876-83ce-b38e9966ea53 --api 2ac352a9-b35a-4db8-bbce-84d9245faa45
这是调试输出:
msrest.http_logger : Request URL: 'https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6'
msrest.http_logger : Request method: 'POST'
msrest.http_logger : Request headers:
msrest.http_logger : 'Accept': 'application/json'
msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger : 'accept-language': 'en-US'
msrest.http_logger : 'Content-Length': '323'
msrest.http_logger : 'User-Agent': 'python/3.6.6 (Windows-10-10.0.18362-SP0) msrest/0.6.6 msrest_azure/0.6.0 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.0.62'
msrest.http_logger : Request body:
msrest.http_logger : {"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant", "clientId": "874bf2e7-d191-4d86-ba64-234c885c703a", "consentType": "AllPrincipals", "resourceId": "e7c4266c-e7c0-440f-910a-2557f24b842c", "scope": "user_impersonation", "startTime": "2019-04-18T00:11:56.102063", "expiryTime": "2020-04-18T00:11:56.102063"}
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6 HTTP/1.1" 403 219
msrest.http_logger : Response status: 403
msrest.http_logger : Response headers:
msrest.http_logger : 'Cache-Control': 'no-cache'
msrest.http_logger : 'Pragma': 'no-cache'
msrest.http_logger : 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger : 'Expires': '-1'
msrest.http_logger : 'ocp-aad-diagnostics-server-name': 'flQBgrwiZdgfrwyQn7i7mb8tOHe8Zm56rla4LDh9+Zw='
msrest.http_logger : 'request-id': 'e514bba2-7cc9-47e7-bd16-ff1ea17fbad8'
msrest.http_logger : 'client-request-id': '924eb878-616e-11e9-8077-f26e0bc197ab'
msrest.http_logger : 'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger : 'ocp-aad-session-key': '-RrCLfYgOSFwqxz4IBLGEBFBrYfXBZbU8zNwiCGag-dWYfm6EGWjClVXFX9LjmWphFkDKZaqQP39ko2PuX_K4DXuqK1NwUB5wayM8e5wnXvaSoYQW1B4nwJDR7JAHnwU.e2QPHdU1fQSwX4_tnWM81ajF8thbjmTeEPBE9HPtOJI'
msrest.http_logger : 'DataServiceVersion': '3.0;'
msrest.http_logger : 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger : 'Access-Control-Allow-Origin': '*'
msrest.http_logger : 'X-AspNet-Version': '4.0.30319'
msrest.http_logger : 'X-Powered-By': 'ASP.NET'
msrest.http_logger : 'Duration': '545850'
msrest.http_logger : 'Date': 'Thu, 18 Apr 2019 00:11:55 GMT'
msrest.http_logger : 'Content-Length': '219'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"e514bba2-7cc9-47e7-bd16-ff1ea17fbad8","date":"2019-04-18T00:11:56"}}
msrest.exceptions : Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6
cli.azure.cli.core.util : Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6
Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2PermissionGrants?api-version=1.6
az_command_data_logger : exit code: 1
telemetry.save : Save telemetry record of length 2468 in cache
telemetry.check : Negative: The C:\Users\mikebaz\.azure\telemetry.txt was modified at 2019-04-17 20:04:03.430973, which in less than 600.000000 s
command ran in 2.421 seconds.
这就是我要授予的内容:
[
{
"additionalProperties": null,
"expiryTime": "",
"resourceAccess": [
{
"additionalProperties": null,
"id": "4b7cb559-04e7-4d6e-8b59-362ceccc6a89",
"type": "Scope"
}
],
"resourceAppId": "2ac352a9-b35a-4db8-bbce-84d9245faa45"
}
]
我可以在Portal中成功完成授权(这就是我如何获得上面的授权细节),所以我知道我可以获得授权。
关于我在这里缺少什么的想法?
我注意到至少有一个问题是命令中--api
参数的值可能不正确。
在你提到的Json是来自Portal的工作副本时,resourceAppId
是2ac352a9-b35a-4db8-bbce-84d9245faa45
,因此应该是命令中--api
参数或目标API的值。
[
{
"additionalProperties": null,
"expiryTime": "",
"resourceAccess": [
{
"additionalProperties": null,
"id": "4b7cb559-04e7-4d6e-8b59-362ceccc6a89",
"type": "Scope"
}
],
"resourceAppId": "2ac352a9-b35a-4db8-bbce-84d9245faa45"
}
]
还要确保934b23f2-ab55-4876-83ce-b38e9966ea53
是applicationid或objectid为您的应用程序。
az ad app permission grant --id 934b23f2-ab55-4876-83ce-b38e9966ea53 --api 2ac352a9-b35a-4db8-bbce-84d9245faa45 --scope user_impersonation --consent-type AllPrincipals