使用OAuth的Office 365/EWS身份验证:受众声明值无效 [英] Office 365 / EWS Authentication using OAuth: The audience claim value is invalid

问题描述

我还在为此苦苦挣扎. 有关详细信息，请参阅我的上一个问题.

I'm still struggling with this. Please see my previous question for details.

我正在做一个应通过EWS托管API访问Office 365/Exchange的应用程序(当前为命令行).目的是通过OAuth2进行身份验证.

I am doing an application (currently command line) which should access Office 365/Exchange through EWS Managed API. The goal is to authenticate through OAuth2.

我已经在Azure AD中注册了一个应用程序.
我从那里开始使用ClientID
我生成了一个应用程序秘密/密钥
我已经将具有对用户邮箱(预览)的完全访问权限"委派给了该应用程序.

I have registered an application in Azure AD.
I have used the ClientID from there
I generated an App Secret / Key
I have delegated the "Have full access to a users' mailbox (preview)" permissions to the App.

我正在使用ADAL这样检索访问令牌:

I am using ADAL to retrieve the Access Token like this:

var authority = "https://login.windows.net/<tenant>"
var authContext = new AuthenticationContext(authority);
var clientCredential = new ClientCredential("<clientId>", "<appKey>");
result = OAuthTokenManager.authContext.AcquireToken("<my ResourceID>", clientCredential);

我确实获得了访问令牌.解码值为:

I do get an access token back. The decoded value is:

{
 "typ": "JWT",
 "alg": "RS256",
 "x5t": "kriMPdmBvx68skT8-mPAB3BseeA"
}.
{
 "aud": "<my resource ID>",
 "iss": "https://sts.windows.net/2d1f889d-7930-4ef6-9f87-ef096d91ac47/",
 "nbf": 1403253608,
 "exp": 1403296808,
 "sub": "bdb0baf9-29ca-4a43-b9f8-d81ca2ae83bd",
 "appid": "<my app ID>",
 "oid": "bdb0baf9-29ca-4a43-b9f8-d81ca2ae83bd",
 "tid": "2d1f889d-7930-4ef6-9f87-ef096d91ac47",
 "idp": "https://sts.windows.net/2d1f889d-7930-4ef6-9f87-ef096d91ac47/"
}.
[signature] 

然后我使用此令牌连接到EWS:

I then use this token to connect to EWS:

var service = new ExchangeService(ExchangeVersion.Exchange2013_SP1);
var credentials = new OAuthCredentials(token);
service.Credentials = credentials;
service.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
service.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "<smtp address of o365 mailbox>");
Folder inbox = Folder.Bind(service, WellKnownFolderName.Inbox);

Folder.Bind失败，出现401错误.

The Folder.Bind fails with a 401 error.

在EWS Trace中，我可以看到原因:

In EWS Trace I can see this as the reason:

The audience claim value is invalid <my resource ID>

资源ID是注册的应用程序中的"APP-ID-URI".

The resource ID is the "APP-ID-URI" from the registered application.

我确定我只是缺少一些细节...但是我找不到它:)
任何指针都将不胜感激.

I'm sure I'm only missing a small details... but I can't find it :)
Any pointers are much appreciated.

如果我使用 https://outlook.office365.com/作为资源ID(音频)，我收到此错误消息:

If I use https://outlook.office365.com/ as resource ID (aud), I get this error message:

ACS50001: Relying party with identifier 'https://outlook.office365.com/' was not found.

租户确实具有Exchange订阅，并且具有对邮箱的完全访问权限.

The Tenant does have an Exchange subscription, and it has full access to the mailbox.

推荐答案

嗯.使用服务类型的应用程序，您将要使用可以模拟用户的服务帐户.请参阅此MSDN主题细节.拥有该帐户后，您将需要通过OAuth作为该服务帐户进行身份验证，然后根据需要模拟用户.

Ah ok. With a service-type app, you're going to want to use a service account that can impersonate your users. See this MSDN topic for details. Once you have that account, you'll want to authenticate via OAuth as that service account, then impersonate your users as needed.

对于本机应用程序，您不能使用应用机密进行身份验证.因此，您需要执行以下操作:

With a native application, you cannot use the app secret to authenticate. So you'll need to do something like:

AuthenticationResult result = authContext.AcquireToken("https://outlook.office365.com", clientId, new Uri(callbackUri), PromptBehavior.Auto);

其中clientId是Azure注册中的客户端ID，callbackUri是在Azure中注册应用程序时指定的重定向URI.这将导致显示提示窗口，但是如果您保存令牌并刷新令牌并使用它们来刷新，则应避免任何进一步的提示.您取回的令牌应类似于:

Where clientId is your client ID from your Azure registration, and callbackUri is the redirect URI you specified when registering your app in Azure. This will cause a prompt window to show, but if you save the token and refresh token and use those to refresh, you should avoid any further prompts. The token you get back should look something like:

{
 "typ": "JWT",
 "alg": "RS256",
 "x5t": "kriMPdmBvx68skT8-mPAB3BseeA"
}.
{
 "aud": "https://outlook.office365.com",
 "iss": "https://sts.windows.net/9e4563d1-423e-493b-bdc5-9a98fe2e24d9/",
 "iat": 1403706230,
 "nbf": 1403706230,
 "exp": 1403710130,
 "ver": "1.0",
 "tid": "9e4563d1-423e-493b-bdc5-9a98fe2e24d9",
 "amr": [
  "pwd"
 ],
 "oid": "4a6e20e6-9711-4ca1-888b-34e63f65f897",
 "upn": "impersonationaccount@contoso.com",
 "unique_name": "impersonationaccount@contoso.com",
 "sub": "Pp3JW2dfYELMUBjGjUIZLarT4diOkkKZ1OJPVunzAYE",
 "puid": "100300008A9245F4",
 "family_name": "Account",
 "given_name": "Application",
 "appid": "<your app id>",
 "appidacr": "0",
 "scp": "user_impersonation",
 "acr": "1"
}.
[signature]

该应用程序将通过impersonationaccount@contoso.com用户身份进行身份验证，然后您可以模拟其他用户.我刚刚使用一个小的测试控制台应用程序通过我的测试Office 365帐户对此进行了测试.

The app will authenticate as the impersonationaccount@contoso.com user, and then you can impersonate other users. I just tested this with my test Office 365 account using a little test console app.

最后一个告诫:EWS所需的OAuth权限范围不像其他权限范围那样可移植.我的意思是，与REST API应用不同，您可以使用开发人员租户在Azure中注册它，然后其他Office 365组织可以同意您的应用，使用OAuth的EWS应用必须在每个应用中分别注册使用它们的租户.如果您要为自己的组织创建此应用，那么没什么大不了的.但是，如果您打算将此应用授权给其他组织，则应该注意.

One last final caveat: the OAuth permission scope required for EWS are not portable like the other permission scopes are. What I mean by that is that unlike a REST API app, where you can register it in Azure using your developer tenant, and then other Office 365 organizations can just consent to your app, EWS apps that use OAuth have to be registered separately in each tenant that uses them. If you're creating this app for your own organization, not so big a deal. But if you were planning on licensing this app to other organizations, something you should be aware of.

这篇关于使用OAuth的Office 365/EWS身份验证:受众声明值无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！