如何在不进行用户交互的情况下授权服务使用Microsoft Graph用户帐户? [英] How to authorize service to use Microsoft Graph user account without user interaction?

问题描述

我希望我的服务器应用程序可以使用Microsoft Graph与它自己的Excel文件进​​行交互.也就是说，文件属于应用程序，而不是应用程序的特定用户.

I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.

我已经使用Azure ID注册了一个应用程序，并授予了Microsoft Graph对用户可以访问的所有文件具有完全访问权限".

I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.

我正在尝试使用OAuth资源所有者密码凭据授予.

I am trying to use OAuth Resource Owner Password Credentials Grant.

我可以获得这样的授权令牌:

I can get an authorization token like this:

POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All

但响应仅指示范围User.Read:

{
  "token_type": "Bearer",
  "scope": "User.Read",
  "expires_in": "3600",
  "ext_expires_in": "0",
  "expires_on": "1494467388",
  "not_before": "1494463488",
  "resource": "https://graph.microsoft.com",
  "access_token": "eyJ0e...",
  "refresh_token": "AQAB..."
}

当我尝试列出该帐户的一个驱动器"中的文件时，没有出现错误，但是响应中没有任何项目:

And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:

Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...

Response:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
  "value": []
}

当我使用相同的帐户登录时在Graph Explorer中发出相同的请求时，响应将包括该帐户的一个驱动器根目录中的所有项目.

When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.

我了解，当通过OAuth客户端凭据授予授权时，Microsoft Graph当前不支持仅应用程序文件访问(按照

I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.

我做错什么了吗，还是使用资源所有者密码凭据授予"功能不支持文件访问?

Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?

如果是后者，我如何才能实现允许我的应用程序使用用户凭据通过Microsoft Graph来操作Excel文件而无需用户交互?

If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?

更新:

我已经为正在使用的帐户分配了管理员权限，并在Azure门户中重新设置了Microsoft Graph的应用程序权限，但是它仍然对我不起作用.

I have had administrator permissions assigned to the account I am using, and re-set the application permissions for Microsoft Graph in the Azure Portal, but it still is not working for me.

以下是我正在使用的帐户的详细信息:

Here are details of the account I am using:

推荐答案

在被授予具有对用户可以访问的所有文件的完全访问权限"权限后，请尝试在必需的权限"刀片中单击Grant Permissions(最好使用管理员帐户)对于Microsoft Graph:

Please try to click Grant Permissions(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph:

使用资源所有者密码流获取令牌后，您将在scp声明中找到Files.ReadWrite.All.然后，您可以调用Microsoft graph api列出文件.

After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All in scp claims . Then you could call microsoft graph api to list files .

更新

以下是我如何使资源所有者流程工作的步骤:

Here is the steps how i make the resource owner flow work :

1. 注册一个本机应用程序，为Microsoft Graph添加具有对用户可以访问的所有文件的完全访问权限"委派权限(不要单击grant permissions按钮，如上图所示).使用资源所有者密码凭据授予并获取访问令牌，仅在scp声明中找到User.Read:

1. register a native app , Add the "Have full access to all files user can access" delegate permission for Microsoft Graph(don't click grant permissions button as above picture shown) . using Resource Owner Password Credentials Grant and get the access token ,only find User.Read in scp claim :

POST https://login.microsoftonline.com/common/oauth2/token 内容类型:application/x-www-form-urlencoded grant_type = password& client_id = XXXXXXXXXX& resource = https://graph.microsoft. com/& username = XXXXXX& password = XXXXXXX

POST https://login.microsoftonline.com/common/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=password&client_id=XXXXXXXXXX&resource=https://graph.microsoft.com/&username=XXXXXX&password=XXXXXXX

单击上图所示的grant permissions按钮，使用资源所有者密码凭据授予"并获取访问令牌，您可以在scp声明中找到Files.ReadWrite.All User.Read:

click grant permissions button as above picture shown , using Resource Owner Password Credentials Grant and get the access token ,you could find Files.ReadWrite.All User.Read in scp claim :

这篇关于如何在不进行用户交互的情况下授权服务使用Microsoft Graph用户帐户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！