发表新帖
发表新帖

Microsoft Graph API access token validation failure

前端 未结
关注
5 1502
耶瑟儿~
耶瑟儿~ 2021-01-13 05:31

I use this URL to get id_token:

https://login.microsoftonline.com/common/oauth2/authorize?
response_type=id_token%20code&
client_id=MY_CLIENT_GUID_ID_IN_
相关标签:
5条回答
  • 既然无缘
    2021-01-13 05:33

    To receive the access token and use it for profile requests, you don't need anything from server-side, you can implement the oAuth2 just from the client side.

    Use the following URL for login:

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=YOUR_CLIENT_ID&resource=https://graph.microsoft.com&response_type=token&redirect_uri=YOUR_REDIRECT_URI&scope=User.ReadBasic.All

    After successful login, user will redirected to the page with access_token parameter. Then use the following AJAX call to fetch user info:

    var token = login_window.location.href.split('access_token=').pop().split('&')[0];
$.ajax({
    url: "https://graph.microsoft.com/v1.0/me",
    type: "GET",
    beforeSend: function(xhr){xhr.setRequestHeader('Authorization', 'Bearer '+token);},
    success: function(data) {
      alert('Hi '+data.displayName);
      console.log(data);
    }
});

    Note that you may need to enable oauth2AllowImplicitFlow:true setting from your Azure Active Directory application manifest file.

    Set "oauth2AllowImplicitFlow": false to "oauth2AllowImplicitFlow": true.

    Lastly, ensure that your app has required permissions for Microsoft Graph which are sign in users and View users' basic profile

    0 讨论(0)
  • 有刺的猬
    2021-01-13 05:38

    I had this issue today when I was playing with graph API, the problem in my case was how I was generating the token.

    I used postman for generating the token wherein the Auth URL section I was adding the resource = client_id whereas it should be the graph URL. After making that change I was able to make the call via postman.

    In order for the above to work, please make sure your application in Azure has delegated permissions to access the Graph API.

    0 讨论(0)
  • 生来不讨喜
    2021-01-13 05:51

    OATH 2.0 requires multiple steps. The first request returns an OAUTH Code. The next step is converting that OATUH code into a Bearer Token. This is the step you are missing here.

    I would also recommend using the v2 Endpoint which is a lot easier to work with (particularly with Graph). I wrote a v2 Endpoint Primer that walks through the process and may be helpful as well.

    0 讨论(0)
  • 小鲜肉
    2021-01-13 05:53

    You can't use the token directly, there is one more step to exchange the code you get from the response url into token.

    Here is my C# code (using Microsoft.IdentityModel.Clients.ActiveDirectory)

          public static AuthenticationResult ExchangeCodeForToken(string InTenantName, string InUserObjId, string InRedirectUri, string InApplicationAzureClientID, string InApplicationAzureClientAppKey)
      {
                Check.Require(!string.IsNullOrEmpty(InTenantName), "InTenantName must be provided");
                Check.Require(!string.IsNullOrEmpty(InUserObjId), "InUserObjId must be provided");

                if (CanCompleteSignIn) //redirect from sign-in
                {
                    var clientCredential = new ClientCredential(InApplicationAzureClientID, InApplicationAzureClientAppKey);
                    var authContext = new AuthenticationContext(Globals.GetLoginAuthority(InTenantName), (TokenCache)new ADALTokenCache(InUserObjId)); //Login Authority is https://login.microsoftonline.com/TenantName
                    return authContext.AcquireTokenByAuthorizationCode(VerificationCode, new Uri(InRedirectUri), clientCredential, Globals.AZURE_GRAPH_API_RESOURCE_ID); //RESOURCE_ID is "https://graph.microsoft.com/"
                }

                return null; 
       }
    0 讨论(0)
  • 天命终不由人
    2021-01-13 05:55

    An updated answer to get access with new applications:

    1. Register your app in the app registration portal.

    2. Authorization request example:

    https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345

    Authorization response will look like this:

    https://localhost/myapp/?code=M0ab92efe-b6fd-df08-87dc-2c6500a7f84d&state=12345

    1. Get a token

      POST /{tenant}/oauth2/v2.0/token HTTP/1.1

      Host: https://login.microsoftonline.com

      Content-Type: application/x-www-form-urlencoded

      client_id=6731de76-14a6-49ae-97bc-6eba6914391e

      &scope=user.read%20mail.read

      &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...

      &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

      &grant_type=authorization_code

      &client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps

    2. Use the access token to call Microsoft Graph

      GET https://graph.microsoft.com/v1.0/me

      Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw

      Host: graph.microsoft.com

    Source:

    https://docs.microsoft.com/en-us/graph/auth-v2-user?context=graph/api/1.0

    You can also get an access token without a user, see here:

    https://docs.microsoft.com/en-us/graph/auth-v2-service

    0 讨论(0)
 看不清?
提交回复
热议问题