Microsoft Graph身份验证 - 委派权限 [英] Microsoft Graph Authentication - Delegated permission

问题描述

我可以使用访问Microsoft Graph，从Microsoft Graph访问资源用户。但是，此方法不允许我访问需要委派权限的资源。

I am able to access resources from Microsoft Graph using Get access without user. However, this method does not allow me to access resources which require delegated permissions.

我还尝试使用代表用户访问方法，但需要我的用户通过我的方案中不需要的网页登录。

I also tried to use the Get access on behalf of a user method, but it will require my user to sign in through a webpage, which is not desired in my scenario.

是否可以生成具有较长生命周期（可能超过一年）的授权代码，并使用该代码请求访问令牌，然后可以使用该令牌获取需要的资源委派权限？

Is it possible to generate an authorization code with a long life time (possibly over a year) and use that code to request an access token, which can then be used to get resources that require delegated permissions?

注意：我知道生成具有如此长使用寿命的授权代码不是一个好主意，但此代码将是后端程序用来访问资源而不是用户。所以我不想让用户登录页面弹出。希望用Java实现这一点。

Note: I know generating an authorization code with such a long life time is not a good idea, but this code will be used by the back-end program to access resources and not the user. So I do not want the user sign in page to pop up. Looking to implement this in Java.

谢谢！

推荐答案

In为了使用委托权限，最终用户需要通过OAuth2.0流程以交互方式登录。

In order to use delegated permission, the end user needs to sign in interactively through an OAuth2.0 flow.

现在，您可以使用资源所有者凭据流，它只是将用户名/密码发布到Azure AD并获取令牌。建议不要使用此路径，因为它很脆弱（例如，MFA无效）并且需要您的应用来管理用户的凭据。

Now, you can use a user's creds with the Resource Owner Credentials Flow which is simply posting the username/password to Azure AD and getting tokens back. This path is not recommended as it's brittle (For example, MFA will not work) and requires your app to manage the user's credentials.

您最好的选择是为您的用户创建某种登录体验，以便他们登录并同意您的应用程序。 Azure AD中的刷新令牌具有 的生命周期直到被撤销 意味着它们可以持续长达一年甚至更长时间。您将遇到的瓶颈是最终用户的密码到期，这将导致他们需要再次登录。

Your best bet is to create some kind of sign in experience for your users that allows them to sign in and consent to your application. Refresh tokens in Azure AD have a lifetime of until-revoked meaning they can last as long as a year if not longer. The bottleneck you'll hit is the end user's password expiring which would lead them to need to sign in again.

有关此方面的一些帮助，Azure AD有 ADAL4j库。我还为Azure AD v2.0端点编写了一个小的 Spring MVC Java代码示例（Microsoft使用第三方库的帐户+ Azure AD帐户。

For some help with this, Azure AD has an ADAL4j library you can use. I've also written a small Spring MVC Java code sample for the Azure AD v2.0 endpoint (Microsoft Accounts + Azure AD Accounts) that uses a 3rd party library.

这篇关于Microsoft Graph身份验证 - 委派权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！