获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

huangapple go评论88阅读模式
英文:

Getting error - AADSTS500011: The resource principal named ** was not found in the tenant named **

问题

我有一个AAD应用程序 - ABC,需要通过一个暴露的API访问其他应用程序XYZ,该API是“api://XYZ/general”。我正在尝试使用MSAL库,并使用ConfidentialClientApplication机制,但它不断给我一个错误,指出 -

AADSTS500011:未在名为***的租户中找到名为api://XYZ/general的资源主体。如果管理员尚未安装该应用程序,或者租户中没有用户同意安装该应用程序,可能会发生这种情况。您可能已将您的身份验证请求发送到错误的租户。

有人可以帮助我解决这个错误吗?我已经被阻止了相当长的时间了。

尝试获取访问Easy Start API的访问令牌。
代码-

authority = app.config["AUTHORITY"] + '/' + app.config["TENANT"]

aadApp = msal.PublicClientApplication(app.config["CLIENT_ID"], authority=authority)

result = None
accounts = aadApp.get_accounts()
if accounts:
    # 如果存在用户帐户,则使用它来静默获取令牌
    result = aadApp.acquire_token_silent(scopes=app.config["OB_SCOPE"], account=accounts[0])

if not result:
    # 没有用户帐户或令牌获取失败,执行交互式身份验证
    result = aadApp.acquire_token_interactive(scopes=app.config["OB_SCOPE"])

access_token = result['access_token']

错误-
点击此处查看图片描述

英文:

I have an AAD Application - ABC, that needs to access other application XYZ via an exposed api which is - "api://XYZ/general". I`m trying to use MSAL library and using ConfidentialClientApplication mechanism,but it is constantly giving me an error stating -

AADSTS500011: The resource principal named api://XYZ/general was not found in the tenant named ***. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

Can someone please assist me on how to resolve this error? I have been blocked on this for quite some time now.

Trying to get access token to use Easy Start APIs.
Code-

authority = app.config["AUTHORITY"] + '/' + app.config["TENANT"]

aadApp = msal.PublicClientApplication(app.config["CLIENT_ID"], authority=authority)

result = None
accounts = aadApp.get_accounts()
if accounts:
    # If a user account exists, use it to acquire a token silently
    result = aadApp.acquire_token_silent(scopes=app.config["OB_SCOPE"], account=accounts[0])

if not result:
    # No user account or token acquisition failed, perform interactive authentication
    result = aadApp.acquire_token_interactive(scopes=app.config["OB_SCOPE"])

access_token = result['access_token']

Error-
enter image description here

答案1

得分: 1

我有一个名为WebAPI的应用程序,在其中我公开了一个与您的相同范围的API:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

现在,我注册了一个名为ClientApp18的Azure AD应用程序,并在API权限选项卡中添加了上述权限:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

为了生成访问令牌,我直接使用了交互式流程,通过修改您的Python代码:

import msal

tenant_id = "fb134080-e4d2-45f4-9562-fxxxxxxxxx0"
client_id = "3b48a780-de28-4576-b1c5-exxxxxxxx2"

scopes = ["api://5bc992e5-b3f8-4cfc-8197-aexxxxxxa/general"]

authority = f"https://login.microsoftonline.com/{tenant_id}/"

aadApp = msal.PublicClientApplication(client_id, authority=authority)

result = aadApp.acquire_token_interactive(scopes=scopes)

if "access_token" in result:
    access_token = result['access_token']
    print("Access token:", access_token)
else:
    print("Interactive authentication failed. Please check your Azure AD configuration.")

当我运行上述代码时,会打开一个新窗口以选择一个帐户进行登录,就像这样:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

请确保从存在相同应用程序的租户中选择正确的用户帐户,一旦身份验证成功,您将在输出控制台中获得如下屏幕:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

身份验证后,我成功地获得了访问令牌,如下所示:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

为了确认这一点,我在jwt.ms中解码了上述令牌,并获得了正确的**audscp**声明值:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

对于您的情况,请检查您是否已使用来自与应用程序存在不同租户的用户进行登录,或者在代码中传递了错误的tenantID

当我选择来自不同租户的用户或包含错误的tenantID运行代码时,我得到了与您类似的错误:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

要解决此错误,请尝试直接使用我提到的交互式流程,使用来自与应用程序存在的相同租户的正确用户帐户进行登录,并检查您是否使用了正确的tenantID

英文:

I have one application named WebAPI where I exposed an API with same scope as you:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

Now, I registered one Azure AD application named ClientApp18 and added above permissions in API permissions tab:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

To generate access token, I directly used interactive flow by modifying your python code:

import msal

tenant_id = "fb134080-e4d2-45f4-9562-fxxxxxxxxx0"
client_id = "3b48a780-de28-4576-b1c5-exxxxxxxx2"

scopes = ["api://5bc992e5-b3f8-4cfc-8197-aexxxxxxa/general"]

authority = f"https://login.microsoftonline.com/{tenant_id}/"

aadApp = msal.PublicClientApplication(client_id, authority=authority)

result = aadApp.acquire_token_interactive(scopes=scopes)

if "access_token" in result:
    access_token = result['access_token']
    print("Access token:", access_token)
else:
    print("Interactive authentication failed. Please check your Azure AD configuration.")

When I ran the above code, a new window opened to pick an account to sign in like this:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

Make sure to select right user account from same tenant where the applications exist and you will get below screen once Authentication is successful:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

After authenticating, I got the access token successfully in the output console:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

To confirm that, I decoded the above token in jwt.ms and got aud & scp claims with correct values:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

> In your case, check whether you are already logged in with user from different tenant other than the tenant where applications exist or passed wrong tenantID in code.

When I ran the code by selecting user from different tenant or including wrong tenantID, I got similar error as you:

获得错误 – AADSTS500011:在名为 ** 的租户中未找到名为 ** 的资源主体。

To resolve the error, try to use interactive flow directly as I mentioned by signing in with right user account from same tenant where the applications exist and check whether you are using right tenantID or not.

答案2

得分: 0

我相信您需要在Azure AD应用程序注册中为您的api://XYZ/general资源添加范围。这是链接:https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis#add-a-scope。希望这有所帮助。

英文:

I believe you need to add a scope for your api://XYZ/general resource in Azure AD application registration. Here is the link for it: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis#add-a-scope. I hope this helps.

huangapple
  • 本文由 发表于 2023年7月17日 19:35:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/76704063.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定