Office365 API-访问其他用户/房间的日历 [英] Office365 API - Accessing another users/room's calendars
问题描述
我正在尝试构建一个可以访问组织的所有日历(用户,房间等)的应用程序.
当前,我的身份验证流程将代表租户用户登录,并使用刷新令牌来访问所需的资源.一旦我请求以下内容:
https://outlook.office365.com/api/v1.0/users/{room-resource@email}/events
我的应用程序返回401
根据我的聚会,似乎此流程仅限于单个用户的范围.尽管租户管理员应该有权查看任何会议室资源,但从技术上讲,会议室本身就是用户,因此API会以禁止的错误进行响应.现在看来,适当的流程是租户管理员必须使用新的客户端凭据授予类型(仅适用于应用令牌).我现在不必使用/oauth/common端点,而必须使用/oauth/tenant-id,我可以通过code+id_token响应类型中返回的JWT令牌来检索该/oauth/tenant-id.这引出了我的第一个问题:
使用OpenID流是最初检索租户ID的唯一方法吗?
接下来是让我有些困惑的地方.
我们现在必须生成X.509 SSL证书,并将指纹/值上传到我们的Azure应用程序清单.很容易.
然后根据> Office 365 Rest API-守护程序周身份验证我们构建一个特定的JWT,对其进行base64编码,然后使用我们的证书对其进行签名.
我实际上还没有到达最后几步,但是我会尽可能地发布结果.我只是要确保我似乎在遵循要尝试访问的资源的正确程序.我知道服务令牌是一个相当新的功能,很不幸,我不得不在Stackoverflow上找到发送签名的JWT的流程,而不是正式的MSFT文档.
我还注意到,由于我们使用的是客户端凭据流,因此我们不会在响应中收到refresh_token.所以对于我的最后一个问题:
当访问不同的资源(即Graph API/Office365 API)时,我只是使用签名请求而不是解决方案
该晚了,但是我也一直在为此奋斗,这就是我所发现的.
进入Office365的OAuth路由仅允许您访问自己的日历.不管应用程序在Azure中具有什么权限,或者您为每个用户配置什么权限都没有关系.这是对API的限制.
这已由MSFT在对此StackOverflow问题的评论中得到确认:
Office365 API-管理员正在访问另一个用户/房间的日历事件
但是,您可以使用基本身份验证来访问其他人的日历.
1)配置主要"用户(与之进行身份验证的用户)以访问次要"用户(与要查看的日历的用户)帐户.为此,请转到辅助用户的Exchange属性->邮箱委派,然后授予对主要用户的完全访问权限.
2)将身份验证和请求一起传递给Office365 API:
<?php
$username = 'primary@user.com';
$password = 'mypass';
$URL = 'https://outlook.office365.com/api/v1.0/users/secondary@user.com/events';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$URL);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$result=curl_exec ($ch);
curl_close ($ch);
print_r($result);
?>
3)如果您已正确完成所有操作,那么现在您将拥有辅助用户的事件!
I'm attempting to build an application that will have access to all of an organization's calendars (users, rooms, etc).
Currently my auth flow will sign in on behalf of a tenant user and make use of refresh tokens to access needed resources. As soon as I make a request to:
https://outlook.office365.com/api/v1.0/users/{room-resource@email}/events
My application is responded with a 401
From my gathering, it seems that this flow is limited to a single user's scope. Although the tenant admin should have permission to see any of the room resources, the room is technically a user itself so the API will respond with a forbidden error. It now seems that the proper flow is a tenant admin must grant permission to my application using the new Service OAuth Flow.
Reading through this post it seems that the API is making use of OAuth client credentials grant type (app only tokens). Instead of using the /oauth/common endpoint I now have to use /oauth/tenant-id which I can retrieve via the JWT token returned in the code+id_token response type. This leads to my first question:
Is using the OpenID flow the only way to initially retrieve the tenant ID?
Next is where things get a little fuzzy for me.
We now have to generate an X.509 SSL certificate and upload the fingerprint/value to our Azure application manifest. Easy enough.
Then according to the discussion in Office 365 Rest API - Daemon week authentication we build a specific JWT, base64 encode it, and sign it with our cert.
I haven't actually gotten to the last few steps here but I will post my results when I can. I'm just making sure that I seem to be following the correct procedure for what resources I'm trying to access. I know the service tokens are a fairly new feature, it's just unfortunate that I had to find the flow of sending the signed JWT on Stackoverflow rather than official MSFT documentation...
I also noticed that since we're using the client credentials flow we will not receive a refresh_token in the response. So for my final question:
When accessing different resources (ie Graph API/Office365 API) do I just get a different access token for each resource using my signed request instead of using refresh tokens for multiple resources?
If the general direction I seem to be going is correct let me know! Any help is greatly appreciated.
Late to the party, but I've been fighting thru this too, and here's what I've found.
The OAuth route into Office365 will only allow you to access your own calendar. Doesn't matter what permissions the app has in Azure, or what you configure per user. It's a limitation to the API.
This was confirmed by MSFT in the comments to this StackOverflow question:
Office365 API - Admin accessing another users/room's calendar events
You can, however, use Basic Auth to gain access to another person's calendar.
1) Configure the "Primary" user (the one you authenticate with) to have access to the "Secondary" user's (the one with the calendar you want to view) account. To do this, go in to the Exchange Properties for the Secondary user -> Mailbox Delegation and give Full Access to the Primary User.
2) Pass the authentication along with the request to the Office365 API:
<?php
$username = 'primary@user.com';
$password = 'mypass';
$URL = 'https://outlook.office365.com/api/v1.0/users/secondary@user.com/events';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$URL);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$result=curl_exec ($ch);
curl_close ($ch);
print_r($result);
?>
3) If you've done everything right, you now have the events for the Secondary user!
这篇关于Office365 API-访问其他用户/房间的日历的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
