在Azure Active Directory中,我有一个需要同时在以下范围内使用MicrosoftGraphAPI和SharePointAPI的应用程序:
GraphAPI scopes:
"https://graph.microsoft.com/User.Read.All",
"https://graph.microsoft.com/Group.Read.All",
"https://graph.microsoft.com/Sites.Read.All",
"https://graph.microsoft.com/Calendars.Read.Shared",
"https://graph.microsoft.com/MailboxSettings.Read",
"https://graph.microsoft.com/Files.Read.All"
SharePointAPI scopes:
"https://microsoft.sharepoint-df.com/AllSites.Read",
"https://microsoft.sharepoint-df.com/AllSites.FullControl",
"https://microsoft.sharepoint-df.com/User.Read.All"
我正在尝试获取该应用程序的令牌:
from msal import PublicClientApplication
AUTHORITY = 'https://login.microsoftonline.com/common'
scopes = [ "https://microsoft.sharepoint-df.com/AllSites.Read",
"https://microsoft.sharepoint-df.com/AllSites.FullControl",
"https://microsoft.sharepoint-df.com/User.Read.All"
"https://graph.microsoft.com/User.Read.All",
"https://graph.microsoft.com/Group.Read.All",
"https://graph.microsoft.com/Sites.Read.All",
"https://graph.microsoft.com/Calendars.Read.Shared",
"https://graph.microsoft.com/MailboxSettings.Read",
"https://graph.microsoft.com/Files.Read.All"
]
app = PublicClientApplication(client_id, authority=AUTHORITY)
flow = app.initiate_device_flow(scopes=scopes)
但是在WebUI中批准该应用程序后,出现以下错误:
'error_description': 'AADSTS28000: Provided value for the input parameter scope is not valid
because it contains more than one resource. Scope https://graph.microsoft.com/Calendars.Read.Shared
https://graph.microsoft.com/Files.Read.All https://graph.microsoft.com/Group.Read.All
https://graph.microsoft.com/MailboxSettings.Read https://graph.microsoft.com/Sites.Read.All
https://graph.microsoft.com/User.Read.All https://microsoft.sharepoint-df.com/AllSites.FullControl
https://microsoft.sharepoint-df.com/AllSites.Read https://microsoft.sharepoint-df.com/User.Read.All
offline_access openid profile is not valid'
这是预期的行为。您不能混合资源,但可以acquire 1 access token for each additional resource using the same refresh token。
您可以在MSAL calling the following method中实现:
PublicClientApplication.AcquireTokenByRefreshToken(IEnumerable<string> scopes, string refreshToken);