可以使用MS Graph Bearer令牌访问Office REST API吗? [英] Can an MS Graph Bearer Token be used to access the Office REST API?
问题描述
我们已经使用Microsoft Graph在.Net Core 2.0应用程序中实现了身份验证,以针对Azure AD进行身份验证.
We've implemented Authentication in a .Net Core 2.0 app using Microsoft Graph to authenticate against Azure AD.
那很好,我们的目标是使用Microsoft Graph来访问Office 365数据.
That works fine and we were aiming to use Microsoft Graph for accessing Office 365 data.
Unfortunately, on deeper review, we've found that Tasks are currently unsupported via Microsoft Graph and must be instead accessed via the Outlook REST API.
重要:Microsoft Graph中/beta版本下的API处于预览状态,并且可能会发生更改.不支持在生产应用程序中使用这些API.
Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.
我尝试在Outlook REST API标头中传递通过Microsoft Graph检索到的Bearer令牌,但返回了invalid token错误.
I tried passing the Bearer Token retrieved via Microsoft Graph in the Outlook REST API headers but I get back an invalid token error.
我希望我只是做错了什么,这是一种有效的方法.
I'm hoping that I'm simply doing something wrong and this is a valid approach.
由于MS Graph是Outlook REST API和其他API的统一"替代品,因此可以使用Microsoft Graph令牌来访问Outlook REST API吗?
Since MS Graph is the "unified" replacement for the Outlook REST API and others, can a Microsoft Graph token be used to access the Outlook REST API?
推荐答案
是的,这是正确的行为.令牌仅对特定的受众"有效,这由令牌内的aud声明指示.
Yes, this is correct behavior. Tokens are only valid for a particular "audience", which is indicated by the aud claim inside the token.
如果获得了Microsoft Graph API的令牌,则aud参数将设置为https://graph.microsoft.com.这与Office 365 API终结点(https://outlook.office.com或https://outlook.office365.com)不匹配,因此令牌验证失败.您在这里有两个选择.
If you obtained a token for the Microsoft Graph API, then the aud parameter would be set to https://graph.microsoft.com. This doesn't match the Office 365 API endpoint (https://outlook.office.com or https://outlook.office365.com), so the token validation fails. You have two options here.
- 即使在Beta中,也要在Graph中使用任务API.
- 确保在请求Graph令牌时获得刷新令牌(通过在身份验证/令牌请求中包含
offline_access范围).然后使用该刷新令牌来获得具有适当受众群体的第二个令牌.
- Use the tasks APIs in Graph even though they are in beta.
- Make sure that you obtain a refresh token when you request your Graph token (by including the
offline_accessscope in your auth/token requests). Then use that refresh token to obtain a second token with the proper audience.
You can use the refresh token to request an Office 365 API-compatible token by qualifying your scopes in the refresh request. For example, if you requested a Graph token with Tasks.Read, you would qualify Tasks.Read in your refresh request as https://outlook.office.com/Tasks.Read.
这篇关于可以使用MS Graph Bearer令牌访问Office REST API吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
