获取对EWS和User.Read.All的访问令牌

问题描述 投票:0回答:1

我尝试获取对范围的访问令牌:'https://outlook.office.com/EWS.AccessAsUser.All','User.Read.All'。

  1. 如果我使用以下URL获取授权码:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=https%3A%2F%2Foutlook.office.com%2FEWS.AccessAsUser.All+User.Read.All&client_id=AAA...ZZZ&redirect_uri=http%3A%2F%2Flocalhost%3A9999&response_type=code访问令牌响应为:
{
'scope': 'https://outlook.office.com/EWS.AccessAsUser.All https://outlook.office.com/User.Read https://outlook.office.com/User.Read.All', 
'ext_expires_in': 3599, 
'expires_in': 3599, 
'token_type': 'Bearer', 
'access_token': '123...zzz'
}

请注意回复中的范围。该访问令牌可在EWS请求中正常运行。但是对MS Graph API的请求返回:

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "innerError": {
            "date": "2020-02-15T19:45:50",
            "request-id": "4542b743-05e1-4555-b612-e0419c3b624b"
        },
        "message": "Access token validation failure. Invalid audience."
    }
}
  1. 如果我使用以下URL获取授权代码:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A9999&client_id=AAA...ZZZ&scope=User.Read.All+https%3A%2F%2Foutlook.office.com%2FEWS.AccessAsUser.All&response_type=code访问令牌响应为:
{
'scope': 'EWS.AccessAsUser.All User.Read User.Read.All profile openid email', 
'ext_expires_in': 3599, 
'access_token': '0123...zzz',
'token_type': 'Bearer',
 'expires_in': 3599
}

同样,请注意回复中的范围。此访问令牌可在MS Graph请求中正常运行。但是EWS请求返回错误:

Error: Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. The remote server returned an error: (401) Unauthorized. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
  1. MSAL在这种情况下也不起作用。 
var pcaOptions = new PublicClientApplicationOptions
{
  ClientId = _appId,
  TenantId = _tenantId
};
var pca = PublicClientApplicationBuilder.CreateWithApplicationOptions(pcaOptions).Build();
var ewsScopes = new string[] { "User.Read.All", "https://outlook.office.com/EWS.AccessAsUser.All" };
var authResult = await pca.AcquireTokenInteractive(ewsScopes).ExecuteAsync();
foreach (var s in authResult.Scopes)
{
    Console.WriteLine($"Scope: {s}");
}

如果https://outlook.office.com/EWS.AccessAsUser.All在范围列表中,则访问令牌在EWS请求中有效。对MS Graph的请求返回错误:

Error: Status Code: Unauthorized
Microsoft.Graph.ServiceException: Code: InvalidAuthenticationToken
Message: Access token validation failure. Invalid audience.
azure azure-active-directory exchangewebservices adal msal
1个回答
0
投票

根据您提供的信息,您想要请求访问令牌来调用Microsoft Graph和Outlook Rest API,并且使用一个请求来请求这两个API的访问令牌。但是我们不能那样做。因为所有Microsoft提供的身份验证流程在您请求令牌时都不允许多个资源/范围。换句话说,一个请求只能请求Microsoft图形或Outlook Rest API的访问令牌。有关更多详细信息,请参阅Accessing Multiple resources in a single authorization request

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.