使用带有x509证书的SOAP上的Nodejs对Microsoft EWS进行身份验证 [英] Authenticating Microsoft EWS using Nodejs over SOAP with x509 certificate

问题描述

我在使用Microsoft Graph API来访问Azure Active Directory中的用户等方面取得了巨大的成功，但是仍然需要EWS和SOAP的两件事是检索用户照片并将邮件规则添加到用户邮件帐户. 我正在使用服务帐户进行所有操作，并冒充帐户管理员来发出请求.

I have had great success with the Microsoft Graph API to access users etc etc within Azure Active Directory, however two things that still require EWS and SOAP are retrieving user photos and adding a mail rule to a users mail account. I'm using Service accounts for everything, and impersonating an account admin to make requests.

尝试对Graph API使用与我使用的相同的访问令牌后，收到错误消息: The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2.

After attempting to use the same access token that I am using against the Graph API, I receive the error: The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2.

仔细阅读后，我了解到，因为EWS需要对帐户具有完全特权，所以您不仅可以传递访问令牌，还必须使用x509证书执行某些操作".

Reading around, I understand that because EWS requires full privileges against the accounts, you can't just pass the access token, but you also have to "do something" with an x509 certificate.

在我已注册的应用程序中，在Azure中，我已经调整了清单，以便包括一个自签名证书，这样我就可以:

In my registered app, within Azure, I have adjusted the manifest so to include a self signed certificate so that I have:

 "keyCredentials": [{
  "customKeyIdentifier": "lhbl...../w0bjA6l1mQ8=",
  "keyId": "774D2C35-2D58-.....-AC34B15472BA",
  "type": "AsymmetricX509Cert",
  "usage": "Verify",
  "value": "MIIFtTCCA52gAwIB.....mmgufQ2rW5GSjEEXOlO1c7qw=="
}],

我的理解是customKeyIdentifier是密钥的Base64，来自命令:echo $(openssl x509 -in cert.pem -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64

My understanding is the customKeyIdentifier is the Base64 of the key, from the command: echo $(openssl x509 -in cert.pem -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64

value实际上是关键内容，删除了-----BEGIN CERTIFICATE-----和-----END CERTIFICATE-----，并且也删除了所有新行(否则在清单中，json无效).

the value is literally the key content, with the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- removed, and all new lines removed too (otherwise in the manifest, the json isn't valid).

keyId是我刚刚在终端上使用uuidgen命令生成的GUID，我不认为以任何方式直接与证书相关.

The keyId is a GUID I just generated on the terminal with the uuidgen command, I don't think its related directly to the certificate in any way.

那时我不确定，是我必须在代码中进行哪些更改，这将尝试针对EWS进行身份验证.

What I'm not sure then, is what I have to change within my code, that is going to try to auth against EWS.

我从 node-ews 库开始，我的配置看起来像:

I have started out with the node-ews library, my configuration looks like:

var ewsConfig = {
username: userEmail,
token: self.accessToken,
host: 'https://outlook.office365.com/EWS/Exchange.asmx',
auth: 'bearer'
};
var ews = new EWS(ewsConfig);
var ewsFunction = 'UpdateInboxRules';
ews.run(ewsFunction, ewsArgs)
  .then(result => {
    cb(null, result)
  })
  .catch(err => {
    cb(err);
  });
};

self.accessToken与访问Microsoft Graph API时收到的令牌相同.

self.accessToken is the same token that I receive when accessing the Microsoft Graph API.

因此，总而言之，我的问题是:

So, in conclusion, my questions are:

1. 我需要对我的请求做些什么，以便告诉服务器也对x509证书进行身份验证，我还读到可能还需要将其转换为PKCS12证书?
2. 我可以使用成功用于访问图形API的同一个accessToken吗?
3. Nodejs是否在任何地方都有代码段?
4. keyId可以确定我要给它的任何标识符吗?

1. What do I need to do to my request so that I am telling the server to also auth the x509 certificate, I read that I may need to convert it to a PKCS12 certicificate also?
2. Can I use the same accessToken that I am successfully using to access the graph api?
3. Is there a code snippet anywhere for Nodejs doing this?
4. Is the keyId ok to be any identifier I want to give it?

我得到的回复包含:

{ 'content-length': '0',
        server: 'Microsoft-IIS/8.5',
        'request-id': '9b0d7a1b-85e6-40f6-9af0-7f65fc6669dc',
        'x-calculatedfetarget': 'MM1P123CU001.internal.outlook.com',
        'x-backendhttpstatus': '401, 401',
        'set-cookie': [Object],
        'x-feproxyinfo': 'MM1P123CA0026.GBRP123.PROD.OUTLOOK.COM',
        'x-calculatedbetarget': 'MM1P123MB1337.GBRP123.PROD.OUTLOOK.COM',
        'x-ms-diagnostics': '2000001;reason="The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2.";error_category="invalid_token"',
        'x-diaginfo': 'MM1P123MB1337',
        'x-beserver': 'MM1P123MB1337',
        'x-feserver': 'MM1P123CA0026, VI1PR0701CA0059',
        'x-powered-by': 'ASP.NET',
        'www-authenticate': 'Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm="",Basic Realm=""',
        date: 'Tue, 02 May 2017 18:08:54 GMT',
        connection: 'close' } }

谢谢，非常感谢

推荐答案

我关注了这篇文章，以生成access_token ://blogs.msdn.microsoft.com/arsen/2015/09/18/certificate linux命令行/的-based-auth-with-azure-service-principals- ，确实存在一些jwt签名问题，我不得不使用openssl rsa -check -in key.pem解密密钥并将其保存在文本文件.然后，jwt签名成功了.您还需要冒充，请参见 https://github.com/CumberlandGroup/node -ews/issues/39

I followed this article to generate access_token https://blogs.msdn.microsoft.com/arsen/2015/09/18/certificate-based-auth-with-azure-service-principals-from-linux-command-line/, did have some issues with jwt signing, I had to use openssl rsa -check -in key.pem to decrypt the key and save it in a text file. then jwt signing worked. You also need to be impersonating, see this https://github.com/CumberlandGroup/node-ews/issues/39

它可以帮助解决节点问题.我还没有用node-ews测试这种情况.如果您有兴趣使用ews托管api等更健壮的方法(例如编码)，我已经移植了 ews-managed-api 到 ews-javascript-api 此处是通过ews-javascript-api经过测试和确认的工作代码实现相同功能的示例代码.

it may help with node-ews. I have not tested this scenario with node-ews. If you are interested in looking at more robust approach with ews managed api like coding, I have ported c# version of ews-managed-api to ews-javascript-api , here is the sample code to achieve same with ews-javascript-api, tested and confirmed working code.

var ews = require("ews-javascript-api");
ews.EwsLogging.DebugLogEnabled = false;
var exch = new ews.ExchangeService(ews.ExchangeVersion.Exchange2013);
exch.Credentials = new ews.OAuthCredentials("oauth access_token");
exch.Url = new ews.Uri("https://outlook.office365.com/Ews/Exchange.asmx");
exch.ImpersonatedUserId = new 
ews.ImpersonatedUserId(ews.ConnectingIdType.SmtpAddress, "user@domain.com");
exch.HttpHeaders = { "X-AnchorMailbox": "user@domain.com" };
var rule = new ews.Rule();
rule.DisplayName = "MoveInterestingToJunk";
rule.Priority = 1;
rule.IsEnabled = true;
rule.Conditions.ContainsSubjectStrings.Add("Interesting");
rule.Actions.MoveToFolder = new ews.FolderId(ews.WellKnownFolderName.JunkEmail);
var ruleop = new ews.CreateRuleOperation(rule);
exch.UpdateInboxRules([ruleop], true)
    .then(function (response) {
    console.log("success - update-inboxrules");
    ews.EwsLogging.Log(response, true, true);
}, function (err) {
    debugger;
    console.log("error in update-inboxrules");
    ews.EwsLogging.Log(err, true, true);
});

这篇关于使用带有x509证书的SOAP上的Nodejs对Microsoft EWS进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！