msAccess VBA中的msGraph API-计划器计划凭据问题 [英] msGraph API from msAccess VBA - Planner plans credentials issue

问题描述

我对MS Graph和Office 365还是很陌生，并且取得了不错的进步.我是我所在组织(学校)的O365全球管理员，并且具有应用程序开发经验.在我们的上下文中使用MS-Access数据库来全局"管理O365内容有很多范围.例如联系人，通讯组列表和计划员任务.我们希望从一个或两个本地ms-access数据库管理这些，并且最好由管理员来验证ms-graph活动.

I am very new to MS Graph and Office 365 and have made good progress. I am an O365 Global Admin for my organisation (a school) and have app development experience. There is a lot of scope for using MS-Access databases in our context for "globally" managing the O365 content. eg contacts, distribution lists and planner tasks. We want to manage these from an on-premises ms-access database or two and with an admin person authenticating the ms-graph activity, ideally.

因此，为了进行测试，我创建了一个新的数据库，并设法使其使用VBA消耗了以下终结点，但目前没有用户身份验证.

So, to test, I created a new db and have managed to get it to consume the following endpoint using VBA but with no user authentication for now.

https://graph.microsoft.com/v1.0/groups

但是，当我尝试

https://graph.microsoft.com/v1.0/planner/plans/with my plan id here

我得到401 - Unauthorized: Access is denied due to invalid credentials.

因此，很明显，我的应用程序注册错误或我的身份验证或两者兼而有之！我花了很多时间寻找示例和帮助，由于生态系统的不断发展，我发现很难确定我现在应该做的事情(而不是一两年前).

So, clearly my Application registration is wrong or my authentication or both! I have spent hours searching for examples and help and because of the evolving nature of the ecosystem I am finding it pretty hard to work out what I should do now (as opposed to a year or two ago).

生成用于允许我访问组的access_token的授权为:

The authorisation that generates the access_token that works to allow me access to the groups is:

POST 
https://login.microsoftonline.com/{my tenant id here}/oauth2/token

grant_type=client_credentials
client_id={my client id}
client_secret={my url encoded secret}  resource=https://graph.microsoft.com

但是将相同的access_token用于计划程序任务会抛出401错误.

but using that same access_token for the planner tasks throws the 401 error.

我的应用程序权限如下所示: 我认为这是由于Application和Delegated类型之间的差异，但尚未完全掌握所有内容.而且，我怀疑我还是使用了错误的身份验证流程. :-(

My app permissions look like this: I presume this is because of the difference between the Application and Delegated types but have not fully grasped it all yet. And, I suspect I am using the wrong authentication flow anyway. :-(

因此，我的问题是: 1.我的权限看起来正确吗? 2.我的身份验证流程正确吗?我应该改用这些吗?即我一直在使用旧信息吗?

So, my questions are: 1. Do my permissions look right? 2. Is my authentication flow correct? Should I be using these instead? ie have I been working from old information?

https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/authorize 
https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/token

正如您所知，我变得有些困惑.如果有人能按照我的尝试将我指向正确的总体方向，那将很有帮助.

As you can tell I have become somewhat confused. If anyone can point me in the right overall direction given what I am attempting that would be so helpful.

非常感谢， 默里

推荐答案

1.我的权限看起来正确吗?

1. Do my permissions look right?

是的，毫无疑问，您的天蓝色门户网站许可似乎还不错.您需要专用的权限，还需要授予管理员同意，您已经在屏幕截图中完美地显示了这一点.

Yeah undoubtedly, your azure portal permission seems alright. You need dedicated permission for that also need to grant admin consent which you have done perfectly shown on screen shot.

2.我的身份验证流程正确吗?

2. Is my authentication flow correct?

使用

As you are using Client Credentials Grant Flow request format seems alright. But I doubt this flow is suitable for the API you are trying to call. because this API requires dedicated permission.

3.我应该改用这些吗?

3. Should I be using these instead?

由于此API需要专用权限，因此您可以使用授权代码授予流程.

Since this API need dedicated permission you could use authorization code grant flow.

按照以下步骤使用Authorization Code grant flow

获取授权码:

https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id={ClientId}&response_type=code&redirect_uri={redirectURI}&response_mode=query&scope=https://graph.microsoft.com/.default

使用您的代码请求令牌oauth2/V2.0/token:

请求网址: https://login.microsoftonline.com/common/oauth2/V2.0/token或https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/V2.0/token

方法: POST

请求正文格式

client_id:Your_Clinet_Id
scope:https://graph.microsoft.com/.default
redirect_uri:Your_Portal_Redirect_URI
grant_type:authorization_code
client_secret:Your_Client_Secret
code: Paste Code Here

解码令牌:

您可以在 https://jwt.io/上解码令牌，并确保您具有以下权限:您的天蓝色门户.

You could decode your token on https://jwt.io/ and make sure you have required permission on your azure portal.

4.我一直在使用旧信息吗?

4. Have I been working from old information?

不，到目前为止，信息没有问题.

No, Information has no issue so far I have gone through.

注意:有关Authorization Code grant flow的详细实现，您可以查看

Note: For for details implementation of Authorization Code grant flow you could take a look official docs

这篇关于msAccess VBA中的msGraph API-计划器计划凭据问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！