如何使用oAuth和MS Graph API从服务登录到用户邮箱 [英] How to log on to user mailbox from service using oAuth and MS Graph API

问题描述

我正在向守护程序应用程序添加oAuth身份验证支持.对于IMAP，应用程序通过指定用户ID/密码登录到每个邮箱.Office365 oAuth访问需要注册应用程序并使用客户端凭据授予"流.在这种情况下，应用程序将使用Azure AD进行一次身份验证，并使用oAuth令牌访问每个邮箱.此身份验证流程需要对现有代码库进行重大更改.我想以与IMAP相同的方式访问邮箱(为每个邮箱指定用户凭据).Office365支持该身份验证流程，但它使用系统浏览器，交互式用户同意访问邮箱.我的守护程序应用程序作为无头服务运行，无法访问系统浏览器.如何使用用户凭据登录到用户邮箱?

I am adding oAuth authentication support to daemon application. In case of IMAP, application logs on to every mailbox by specifying userID/password. Office365 oAuth access requires application registration and uses Clients Credential Grant flow. In this case, application authenticates with Azure AD once and accesses every mailbox using oAuth token. This authentication flow requires significant changes of existing code base. I would like to access mailbox in logically same way as IMAP (specify user credentials for every mailbox). Office365 supports that authentication flow but it uses system browser where interactive user gives consent to access mailbox. My daemon application runs as headless service with no access to system browser. How to logon to users mailbox with users credential?

推荐答案

OAuth 2.0资源所有者密码凭据(ROPC)授予允许应用程序通过直接处理其密码来登录用户.

OAuth 2.0 Resource Owner Password Credentials (ROPC) grant allows an application to sign in the user by directly handling their password.

授权请求示例供您参考:

An authorization request sample for your reference:

// Line breaks and spaces are for legibility only.  This is a public client, so no secret is required. 

POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername@myTenant.com
&password=SuperS3cret
&grant_type=password

请注意，有一个警告:

Microsoft建议您不要使用ROPC流.在大多数情况下，并建议使用更安全的替代方法.这个流程需要对应用程序的高度信任，并带有在其他流程中不存在的风险.你应该只用这个无法使用其他更安全的流时的流.

Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.

这篇关于如何使用oAuth和MS Graph API从服务登录到用户邮箱的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！