获取 Microsoft Graph 和单个服务 API 端点(Outlook REST API 等)的访问令牌 [英] Obtain access token for both Microsoft Graph and individual service API endpoints (Outlook REST APIs etc.)

问题描述

我花了一些时间研究 Azure AD OAuth 2.0.

I spent some time playing around with Azure AD OAuth 2.0.

使用范围 https://outlook.office.com/mail.read 获得的访问令牌与 Microsoft Graph 一起使用时会引发 401 Unauthorized.

An access token obtained with scope https://outlook.office.com/mail.read throws 401 Unauthorized when used with Microsoft Graph.

同样，使用范围 https://graph.microsoft.com/mail.read 获得的访问令牌在与 Outlook REST API 端点一起使用时会抛出 401 Unauthorized.

Similarly, an access token obtained with scope https://graph.microsoft.com/mail.read throws 401 Unauthorized when used with Outlook REST API endpoints.

此外，如果我在授权用户时同时提及这两个范围，则会收到错误消息.

Also, I get an error if I mention both the scopes while authorizing a user.

是否可以拥有允许访问 Microsoft Graph 和 Outlook REST API 端点的访问令牌?

Is it possible to have access tokens that allow access to both Microsoft Graph and Outlook REST API endpoints?

我正在构建一个电子邮件应用程序.最初，我将构建基本功能，例如同步/发送电子邮件.

I am building an emailing app. Initially, I will build basic features like syncing/sending emails.

我将使用 Microsoft Graph，因为它支持我目前需要的所有功能，并且 Microsoft 推荐它而不是单个服务 API 端点.

I will be using Microsoft Graph, since it supports all that I need presently and Microsoft recommends it over individual service API endpoints.

我担心未来.我目前将获得的 OAuth 访问令牌的范围为 https://graph.microsoft.com/mail.read.将来，我想构建的新功能可能不受 Microsoft Graph 支持，但 Outlook REST API 端点支持.在这种时候，我想使用 Outlook REST API 端点.

I am worried about future. The OAuth access tokens that I will obtain at present will have scope https://graph.microsoft.com/mail.read. In future, it may happen that a new feature I want to build is not supported by Microsoft Graph but it is supported By Outlook REST API endpoints. At such time I would want to use the Outlook REST API endpoints.

我是否必须为每个用户维护两组 OAuth 访问令牌?要求每个用户重新认证也不是一个好主意.

Do I have to maintain two sets of OAuth access token for every user? Also asking every user to re-auth is not a good idea.

推荐答案

是的，您可以使用 RefreshToken 将 AccessToken 获取到与您请求图形访问(范围)时授权范围相同的各个端点.

Yes, you can use the RefreshToken to get an AccessToken to the individual endpoints with the same scopes as authorized when you requested the graph access (scopes).

例如如果您请求 Mail.Read(https://graph.microsoft.com/mail.read 的简称)，您可以使用 refresh_token 返回令牌发布端点scope="https://outlook.office.com/mail.read" 并获取此端点的 accesss_token.

E.g. If you requested Mail.Read (shortname for https://graph.microsoft.com/mail.read) you can get back to the token issuing endpoint with the refresh_token with scope="https://outlook.office.com/mail.read" and get an accesss_token for this endpoint.

这篇关于获取 Microsoft Graph 和单个服务 API 端点(Outlook REST API 等)的访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！