授权被拒绝尝试访问Microsoft Graph中的Bookings Api [英] Authorization Denied trying to access Bookings Api in Microsoft Graph

问题描述

我正在尝试创建一个从AWS lambda运行的应用程序，该应用程序充当希望使用Microsoft Bookings进行预订的客户的中间人.根据文档，我能够为Graph生成访问令牌，但是当我尝试通过api请求预订信息时，会遭到授权拒绝.

I am trying to create an app that runs from an AWS lambda that acts as a middle man for customers wanting to sign up for a booking using Microsoft Bookings. Following the documentation I am able to generate an access token for Graph, but I get an authorization denial when I try to request information from bookings through the api.

我的代码:

import request from "request";
import { Callback } from "./callback";

const APP_ID = process.env.BOOKINGS_APP_ID;
const APP_SECRET = process.env.BOOKINGS_API_SECRET;
const TOKEN_ENDPOINT = `https://login.microsoftonline.com/${process.env.BOOKINGS_TENANT_NAME}.onmicrosoft.com/oauth2/token`;

const requestParams = {
    client_id: APP_ID,
    client_secret: APP_SECRET,
    grant_type: "client_credentials",
    resource: "https://graph.microsoft.com",
    scope: "https://graph.microsoft.com/.default",
};

export default class Bookings {
    public static async listBusinesses(callback: Callback) {
        Bookings.generateAPIToken((err: string | null, data: any) => {
            const options = {
                // body: {},
                headers: {
                    "Authorization": `Bearer ${data}`,
                    "Content-Type": "application/json",
                },
                method: "GET",
                url: "https://graph.microsoft.com/beta/bookingBusinesses",
            };

            console.log(data);

            return request(options, (error: string, res: any) => {
                if (error) {
                    return callback(error, {});
                }

                return callback(null, JSON.parse(res.body));
            });
        });
    }

    public static async generateAPIToken(callback: Callback) {
        request.post({ url: TOKEN_ENDPOINT, form: requestParams }, (err, res, body) => {
            if (err) {
                return callback(err, {});
            }

            return callback(null, JSON.parse(body).access_token);
        });
    }
}

我得到的错误:

{
    error: {
        code: '',
        message: 'Authorization has been denied for this request.',
        innerError: {
            'request-id': '695d3f90-357d-490c-b980-4a2018dd39a5',
            date: '2020-06-08T03:21:59'
        }
    }
}

我还尝试使用microsoft-graph-client库访问预订，但这也不起作用.我做错了什么?谢谢您的帮助.

I have also tried using the microsoft-graph-client library to access bookings but that doesn't work either. What I am doing wrong? Thank you for any help.

推荐答案

我们可以看到

We can see the document shows the graph api(bookingBusinesses) which you want to request requires delegated type permissions and not support application type permission.

因此，我们不能使用"client_credentials"授予流程，您的代码显示您使用"client_credentials"作为授予类型.您可以使用用户名/密码"授予流来获取访问令牌.因此，您请求访问令牌的参数应如下所示:

So we can not use "client_credentials" grant flow, your code shows you use "client_credentials" as the grant type. You can use "username/password" grant flow to get the access token instead. So the param you request for the access token should be like below:

const requestParams = {
    client_id: APP_ID,
    client_secret: APP_SECRET,
    grant_type: "password",
    scope: "https://graph.microsoft.com/.default",
    username: "your user name/email(like xxxxx@xxx.onmicrosoft.com)",
    password: "your password"
};

顺便说一句，我注意到您代码中的"TOKEN_ENDPOINT"是https://login.microsoftonline.com/${process.env.BOOKINGS_TENANT_NAME}.onmicrosoft.com/oauth2/token，并且您在requestParams中同时使用了参数resource和scope.如果我们使用v1端点作为您的代码，则只需使用参数resource.如果使用v2端点(https://login.microsoftonline.com/${process.env.BOOKINGS_TENANT_NAME}.onmicrosoft.com/oauth2/v2.0/token)，则需要使用参数scope代替参数resource.我上面提供的代码使用v2，因此我使用了scope参数，您还需要将"TOKEN_ENDPOINT"更改为v2(只需在oauth2/和/token之间添加一个v2.0).

By the way, I noticed the "TOKEN_ENDPOINT" in your code is https://login.microsoftonline.com/${process.env.BOOKINGS_TENANT_NAME}.onmicrosoft.com/oauth2/token and you use both params resource and scope in requestParams. If we use v1 endpoint as your code, we just need to use the param resource. If we use v2 endpoint(https://login.microsoftonline.com/${process.env.BOOKINGS_TENANT_NAME}.onmicrosoft.com/oauth2/v2.0/token), we need to use use the param scope instead of the param resource. The code I provided above use v2, so I use scope param and you also need to change the "TOKEN_ENDPOINT" to v2(just add a v2.0 between the oauth2/ and /token).

如果您不想将"TOKEN_ENDPOINT"更改为v2，只需使用以下参数即可:

If you don't want to change the "TOKEN_ENDPOINT" to v2, just use the params like below:

const requestParams = {
    client_id: APP_ID,
    client_secret: APP_SECRET,
    grant_type: "password",
    resource: "https://graph.microsoft.com",
    username: "your user name/email(like xxxxx@xxx.onmicrosoft.com)",
    password: "your password"
};

希望有帮助〜

这篇关于授权被拒绝尝试访问Microsoft Graph中的Bookings Api的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！