如何在不进行用户交互的情况下授权服务使用Microsoft Graph用户帐户? [英] How to authorize service to use Microsoft Graph user account without user interaction?
问题描述
我希望我的服务器应用程序可以使用Microsoft Graph与它自己的Excel文件进行交互.也就是说,文件属于应用程序,而不是应用程序的特定用户.
I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.
我已经使用Azure ID注册了一个应用程序,并授予了Microsoft Graph对用户可以访问的所有文件具有完全访问权限".
I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.
我正在尝试使用OAuth资源所有者密码凭据授予.
I am trying to use OAuth Resource Owner Password Credentials Grant.
我可以获得这样的授权令牌:
I can get an authorization token like this:
POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All
但响应仅指示范围User.Read
:
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "1494467388",
"not_before": "1494463488",
"resource": "https://graph.microsoft.com",
"access_token": "eyJ0e...",
"refresh_token": "AQAB..."
}
当我尝试列出该帐户的一个驱动器"中的文件时,没有出现错误,但是响应中没有任何项目:
And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:
Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...
Response:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
"value": []
}
当我使用相同的帐户登录时在Graph Explorer中发出相同的请求时,响应将包括该帐户的一个驱动器根目录中的所有项目.
When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.
我了解,当通过OAuth客户端凭据授予授权时,Microsoft Graph当前不支持仅应用程序文件访问(按照
I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.
我做错什么了吗,还是使用资源所有者密码凭据授予"功能不支持文件访问?
Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?
如果是后者,我如何才能实现允许我的应用程序使用用户凭据通过Microsoft Graph来操作Excel文件而无需用户交互?
If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?
更新:
我已经为正在使用的帐户分配了管理员权限,并在Azure门户中重新设置了Microsoft Graph的应用程序权限,但是它仍然对我不起作用.
I have had administrator permissions assigned to the account I am using, and re-set the application permissions for Microsoft Graph in the Azure Portal, but it still is not working for me.
以下是我正在使用的帐户的详细信息:
Here are details of the account I am using:
推荐答案
在被授予具有对用户可以访问的所有文件的完全访问权限"权限后,请尝试在必需的权限"刀片中单击Grant Permissions
(最好使用管理员帐户)对于Microsoft Graph:
Please try to click Grant Permissions
(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph:
使用资源所有者密码流获取令牌后,您将在scp
声明中找到Files.ReadWrite.All
.然后,您可以调用Microsoft graph api列出文件.
After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All
in scp
claims . Then you could call microsoft graph api to list files .
更新
以下是我如何使资源所有者流程工作的步骤:
Here is the steps how i make the resource owner flow work :
-
注册一个本机应用程序,为Microsoft Graph添加具有对用户可以访问的所有文件的完全访问权限"委派权限(不要单击
grant permissions
按钮,如上图所示).使用资源所有者密码凭据授予并获取访问令牌,仅在scp
声明中找到User.Read
:
register a native app , Add the "Have full access to all files user can access" delegate permission for Microsoft Graph(don't click
grant permissions
button as above picture shown) . using Resource Owner Password Credentials Grant and get the access token ,only findUser.Read
inscp
claim :
POST https://login.microsoftonline.com/common/oauth2/token 内容类型:application/x-www-form-urlencoded grant_type = password& client_id = XXXXXXXXXX& resource = https://graph.microsoft. com/& username = XXXXXX& password = XXXXXXX
POST https://login.microsoftonline.com/common/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=password&client_id=XXXXXXXXXX&resource=https://graph.microsoft.com/&username=XXXXXX&password=XXXXXXX
单击上图所示的grant permissions
按钮,使用资源所有者密码凭据授予"并获取访问令牌,您可以在scp
声明中找到Files.ReadWrite.All User.Read
:
click grant permissions
button as above picture shown , using Resource Owner Password Credentials Grant and get the access token ,you could find Files.ReadWrite.All User.Read
in scp
claim :
这篇关于如何在不进行用户交互的情况下授权服务使用Microsoft Graph用户帐户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!