Office365 EWS API:对于声明类型“,令牌具有无效值'roles'" [英] Office365 EWS API : The token has invalid value 'roles' for the claim type ''
问题描述
我正在尝试使用OAuth2访问Office365 REST API: http://msdn.microsoft.com/zh-CN/library/office /dn605901.aspx
I'm trying to access the Office365 REST API using OAuth2: http://msdn.microsoft.com/en-US/library/office/dn605901.aspx
I followed all the steps described here: http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx
我对资源"https://outlook.office365.com/"有一个OAuth2令牌,但是当我尝试访问API时,出现以下错误:
I have an OAuth2 token for resource "https://outlook.office365.com/" but when I try to access the API I get the following error:
"The token has invalid value 'roles' for the claim type ''."
我已成功使用相同的逻辑设法访问Windows Azure AD图形" API,但在文档中的任何位置都没有看到与声明"相关的任何内容. 我想念什么吗?
I successfully manage to access Windows Azure AD "Graph" API using the same logic and I haven't seen anything related to a "claim" anywhere in the doc. Am I missing something ?
到目前为止,我已经尝试从授权uri中添加或删除提示= admin_consent,这会触发来自Microsoft的正确对话框,但不会改变任何内容.
So far I have tried to add or remove the prompt=admin_consent from the authorization uri, which triggers the proper dialog from microsoft but that doesn't change anything.
我正在向以下端点发送请求:
I'm sending request to following endpoint:
https://outlook.office365.com/EWS/OData/Me/Inbox/Messages
这是原始响应:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/8.0
request-id: b5b3df59-c23d-4a47-83b7-79c2f7ed6211
Set-Cookie: ClientId=OGLQDFMY0KPSRZSMJBA; expires=Fri, 07-Aug-2015 14:00:33 GMT; path=/; HttpOnly
X-CalculatedBETarget: dm2pr0701mb1216.namprd07.prod.outlook.com
x-ms-diagnostics: 2000001;reason="The token has invalid value 'roles' for the claim type ''.";error_category="invalid_token"
X-DiagInfo: DM2PR0701MB1216
X-BEServer: DM2PR0701MB1216
X-AspNet-Version: 4.0.30319
Set-Cookie: exchangecookie=17695b411d96429b9a2e2db37905b856; expires=Fri, 07-Aug-2015 14:00:35 GMT; path=/; HttpOnly
Set-Cookie: X-BackEndCookie=OrganizationAnchor@cleverage.onmicrosoft.com=u56Lnp2ejJqBnZqdm8zIm8bSzMnNyNLLz52a0sfGx8zSy8nHm53Myc+anMqcgZyTmomajZ6YmtGQkZKWnI2QjJCZi9GckJKBzc/Oy9LPxtLPyavOy8XPz8XMyg==; expires=Sat, 06-Sep-2014 14:00:35 GMT; path=/EWS; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: AMSPR02CA0019
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
Date: Thu, 07 Aug 2014 14:00:34 GMT
Connection: close
Content-Length: 0
仅供参考,我正在使用针对OAuth的"lusitanian/oauth"库开发Symfony2应用,并进行一些调整以连接到Azure AD.
Just for your information, I'm developing a Symfony2 app using the "lusitanian/oauth" library for OAuth with a few tweaks to connect to Azure AD.
如果能提供帮助,我将不胜感激.
I will be very grateful with any help one can provide :)
顺便说一句,API与Basic HTTP Auth可以很好地工作,但是这将迫使我将所有用户密码以明文形式存储在我的数据库中,这非常糟糕.
The API works fine with Basic HTTP Auth by the way, but it would forces me to store all the user's passwords in clear text in my database which is quite horrible.
Azure后端中Office 365 Exchange Online的委派权限设置为3(读取联系人,日历和邮件)
The delegated permissions for Office 365 Exchange Online in the Azure backend are set to 3 (read contacts, calendar and mails)
推荐答案
在Azure AD中注册应用程序时,您是否添加了Office 365 Exchange Online的权限?您设置了应用程序权限还是委派权限? (用户界面不应该提供任何可用的应用程序权限,因为尚不支持它们,但是请确保...).原因是应用程序权限通常在令牌中显示为角色",而委派权限在令牌中显示为"scp".
When you registered your app in Azure AD, did you add permissions for Office 365 Exchange Online? Did you set the Application Permissions or the Delegated Permissions? (The UI shouldn't present any available Application Permissions, since they aren't supported yet, but just to be sure...). The reason is that application permissions are typically shown as 'roles' in the token, while delegated permissions show as 'scp' in the token.
此外,您可以解码访问令牌并与本示例进行比较吗?您可以使用 http://jwt.calebb.net/从base64编码的令牌中进行快速解析你回来.如果遇到问题,可以在此处发布,但是请先删除客户端ID,租户ID和用户信息!我只想看一下结构,以及您的aud和scp值(如果存在).它看起来应该像这样:
Also, can you decode your access token and compare with this example? You can use http://jwt.calebb.net/ to do a quick parse from the base64-encoded token you get back. If you're stuck, you can post it here, but please remove the client ID, tenant ID, and user information first! I just want to see the structure, along with your aud and scp values (if present). It should look something like:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "kriMPdmBvx68skT8-mPAB3BseeA"
}
{
"aud": "https://outlook.office365.com/",
"iss": "https://sts.windows.net/<tenant_id>/",
"iat": 1407344872,
"nbf": 1407344872,
"exp": 1407348772,
"ver": "1.0",
"tid": "<your tenant_id>",
"amr": [
"pwd"
],
"oid": "169bf758-9811-4f6a-b924-80c6bbd4ad92",
"upn": <user_email>,
"unique_name": <user_email>,
"sub": "2n3Mq5HtdCN1WVQk494lPipvfVxeSZCYATOpWyN92iA",
"puid": "10037FF56F8936F7",
"family_name": "Chaves",
"given_name": "Mack",
"appid": "<your client_id>",
"appidacr": "0",
"scp": "Contacts.Write Calendars.Write Mail.Send Mail.Write",
"acr": "1"
}
如果外观不同,则说明您的应用注册存在问题.确保您遵循 http:/中的步骤/msdn.microsoft.com/EN-US/library/office/dn605894(v=office.15).aspx ,特别是在Azure AD中手动注册您的Web应用",获取应用程序密钥" ,以及配置API权限"部分(在您的情况下,使用Exchange代替SharePoint).
If it looks different, there's an issue with your app registration. Make sure you follow the steps in http://msdn.microsoft.com/EN-US/library/office/dn605894(v=office.15).aspx, specifically the "Manually register your web app in Azure AD", the "Get an application key", and the "Configure API permissions" sections (using Exchange instead of SharePoint, in your case).
编辑
登录 https://manage.windowsazure.com 并导航至您的应用.选择您的应用程序后,单击底部的管理清单"按钮,然后选择下载清单.使用文本编辑器打开它.仅发布名为"requiredAppPermissions"的部分,我将对照我的内容进行检查.
Login to https://manage.windowsazure.com and navigate to your app. With your app selected, click the Manage Manifest button at the bottom, and choose to download the manifest. Open this with a text editor. Post just the section called "requiredAppPermissions" and I'll check it against mine.
这篇关于Office365 EWS API:对于声明类型“,令牌具有无效值'roles'"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
