Sharepoint API Headless 获取访问令牌 [英] Sharepoint API Headless Obtaining Access Tokens
问题描述
我正在编写一个必须调用 Sharepoint-online API 的集成.我的集成不是网络应用程序,必须在没有用户存在的情况下工作.
I am coding an integration that has to call Sharepoint-online API's. My integration is not a webapp and has to work without a user present.
据我所知,我需要两个设置步骤:1. 用户必须登录 Azure 并设置应用程序并获取客户端 ID.2. 我必须使用客户端 ID 和用户名和密码调用服务,然后我将获得访问令牌、刷新令牌和 ID 令牌
As I understand it I need two setup steps: 1. User has to log in to Azure and set up an application and obtain a client ID. 2. I have to call a service with client ID and username and password I will then obtain an Access Token, Refresh Token and ID Token
完成两个设置步骤后,我就可以使用访问令牌调用服务,但有时这会过期,我需要使用刷新令牌来获取新令牌.
Once the two setup steps are complete I then can call the service using the access token, but sometimes this will expire and I need to use the refresh token to get a new one.
第 2 步对我来说似乎很奇怪.为什么没有用户可以登录并获取访问刷新和 ID 令牌的用户界面?有人建立了一个实用程序网站来执行此操作,还是我误解了某些内容?
Step 2 seems odd to me. Why isn't there a user interface where a user can log in and obtain the Access Refresh and ID tokens? Has someone built a utility website that just does this, or have I mis-understood something?
谢谢罗伯特
推荐答案
推荐用于服务和守护程序应用的 OAuth 流是客户端凭据流(在该流中,不涉及刷新令牌;客户端 ID 和客户端密钥用于获取最终过期的访问令牌,然后您需要使用相同的客户端 ID 和密钥获取新的访问令牌).对于 SharePoint Online,对于这种情况,您有 2 个选项:
The recommended OAuth flow for service and daemons apps is the Client Credential Flow (in that flow, there no refresh tokens involved; a client ID and a client secret is used to obtain an access token which eventually expires and then you need to get a new access token using the same client ID and secret). In the case of SharePoint Online, you have 2 options for this scenario:
- SharePoint Online + Azure 访问控制服务 (ACS) 集成. 详细信息 此处.简而言之,您创建了一个服务主体(仅添加策略),例如在网站集级别 - 按照我为此链接的博客中的创建 AppPrincipal"部分进行操作.然后,您需要在应用程序清单中分配您的应用程序所需的特定权限.请参阅授予应用程序主体权限"部分中的示例 - 同样,您应该首先定义 您的应用需要哪些权限.然后,您可以从控制台应用程序使用服务主体:
- SharePoint Online + Azure Access Control Service (ACS) integration. Details here. In short, you create a service principal (add in only policy) for instance at the site collection level - follow the "Creating the AppPrincipal" section in the blog I linked for this. Then you need to assign the specific permissions your app will need, in the application manifest. See a sample for that in the "Giving the App Principal Permissions" sections - again, you should first define what permissions your app needs. Then, you can use the service principal from a console application:
程序.cs
static void Main(string[] args)
{
Uri siteUri = new Uri("https://tenant.sharepoint.com/teams/test");
//Get the realm for the URL
string realm = TokenHelper.GetRealmFromTargetUrl(siteUri);
//Get the access token for the URL.
// Requires this app to be registered with the tenant
string accessToken = TokenHelper.GetAppOnlyAccessToken(
TokenHelper.SharePointPrincipal,
siteUri.Authority, realm).AccessToken;
HttpWebRequest endpointRequest =
(HttpWebRequest)HttpWebRequest.Create(
"https://tenant.sharepoint.com/teams/test/_api/web/lists/GetByTitle('Documents')/items");
endpointRequest.Method = "GET";
endpointRequest.Accept = "application/json;odata=verbose";
endpointRequest.Headers.Add("Authorization", "Bearer " + accessToken);
HttpWebResponse endpointResponse =
(HttpWebResponse)endpointRequest.GetResponse();
}
}
app.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
</startup>
<appSettings>
<add key="ClientId" value="65e674ca-3827-4134-852b-1196ff935e08"/>
<add key="ClientSecret" value="xxxxxxx"/>
</appSettings>
</configuration>
- SharePoint Online + Azure Active Directory (AAD) 集成. 详细信息 此处.在该链接中,您将找到示例代码.第一种方法的区别在于,在这种方法中,您使用的不是 ACS,而是 AAD.应用程序所需的权限在 AAD 中定义 - 据我所知,截至今天,您可以在 AAD 中定义的应用程序权限不像您可以通过 ACS 定义的那样细粒度 -即,使用 ACS,您可以在网站集级别定义应用程序,使用 AAD,您不能让应用程序拥有租户范围的权限(即所有网站集)
- SharePoint Online + Azure Active Directory (AAD) integration. Details here. In that link you will find a sample code. The difference between the first approach is that in this one you are not using ACS but AAD. The permission that the app needs is defined in AAD - as of today, as far as I know, the application permissions that you can define in AAD are not as granular as the ones you can define via ACS - i.e. with ACS you can define an app at the site collection level, with AAD you can't the app will have tenant wide permissions (i.e. all site collections)
这篇关于Sharepoint API Headless 获取访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!