Microsoft Graph 身份验证 - 委派权限 [英] Microsoft Graph Authentication - Delegated permission

问题描述

我可以使用 获得访问权限从 Microsoft Graph用户.但是，此方法不允许我访问需要委派权限的资源.

I am able to access resources from Microsoft Graph using Get access without user. However, this method does not allow me to access resources which require delegated permissions.

我还尝试使用 代表用户获取访问权限 方法，但它需要我的用户通过网页登录，这在我的场景中不需要.

I also tried to use the Get access on behalf of a user method, but it will require my user to sign in through a webpage, which is not desired in my scenario.

是否可以生成一个具有较长生命周期(可能超过一年)的授权码并使用该代码请求访问令牌，然后可以使用该令牌获取需要委派权限的资源?

Is it possible to generate an authorization code with a long life time (possibly over a year) and use that code to request an access token, which can then be used to get resources that require delegated permissions?

注意:我知道生成一个生命周期如此长的授权码不是一个好主意，但是这个代码将被后端程序用来访问资源而不是用户.所以我不希望用户登录页面弹出.希望在 Java 中实现这一点.

Note: I know generating an authorization code with such a long life time is not a good idea, but this code will be used by the back-end program to access resources and not the user. So I do not want the user sign in page to pop up. Looking to implement this in Java.

谢谢！

推荐答案

为了使用委托权限，最终用户需要通过 OAuth2.0 流程以交互方式登录.

In order to use delegated permission, the end user needs to sign in interactively through an OAuth2.0 flow.

现在，您可以通过 资源所有者凭据流程 只是将用户名/密码发布到 Azure AD 并取回令牌.不推荐使用此路径，因为它很脆弱(例如，MFA 不起作用)并且需要您的应用来管理用户的凭据.

Now, you can use a user's creds with the Resource Owner Credentials Flow which is simply posting the username/password to Azure AD and getting tokens back. This path is not recommended as it's brittle (For example, MFA will not work) and requires your app to manage the user's credentials.

您最好的选择是为您的用户创建某种登录体验，让他们能够登录并同意您的应用程序.Azure AD 中的刷新令牌具有 生命周期直到撤销意味着它们可以持续一年甚至更长.您将遇到的瓶颈是最终用户的密码过期，这将导致他们需要再次登录.

Your best bet is to create some kind of sign in experience for your users that allows them to sign in and consent to your application. Refresh tokens in Azure AD have a lifetime of until-revoked meaning they can last as long as a year if not longer. The bottleneck you'll hit is the end user's password expiring which would lead them to need to sign in again.

对于这方面的一些帮助，Azure AD 有一个 ADAL4j 库 你可以使用.我还为 Azure AD v2.0 端点(Microsoft使用第 3 方库的帐户 + Azure AD 帐户.

For some help with this, Azure AD has an ADAL4j library you can use. I've also written a small Spring MVC Java code sample for the Azure AD v2.0 endpoint (Microsoft Accounts + Azure AD Accounts) that uses a 3rd party library.

这篇关于Microsoft Graph 身份验证 - 委派权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！