发表新帖
发表新帖

Microsoft Graph Authentication

前端 未结
关注
3 1278
天命终不由人
天命终不由人 2021-01-23 16:57

I’m building an application in Python which can retrieve data from Azure AD. This data can require either Application permissions or Delegated permissions. I had a success retri

相关标签:
3条回答
  • 有刺的猬
    2021-01-23 17:23

    Yes, this is possible - but keep in mind that there are two Azure AD endpoints for application registration!

    Try registering an application on the AAD V2.0 endpoint (apps.dev.microsoft.com), and then use a 'password' grant_type in your request.

    Here are the steps you need:

    • Register your app on the AAD v2.0 endpoint, and generate a password (take note of this)
    • Assign your required permissions (in this case, delegated)
    • As a callback URL I'd suggest using postman's Oauth2 callback URL first so you can debug what you're doing: https://www.getpostman.com/oauth2/callback
    • Important! If any of those permissions require admin consent, you MUST consent to them first to make the app available. This requires the admin user to sign in once.

    Once consent has been given, here's a what your request needs to get a bearer token as a prototype:

        POST https://login.microsoftonline.com/common/oauth2/token
    Request body (application/x-www-form-urlencoded): 
    grant_type=[password]
    username=[user email address]
    password=[user password]
    resource=https://graph.microsoft.com
    client_id=[your newly registered application ID] 
    client_secret=[application password you noted during registration]

    If successful, you'll get the bearer & refresh token as a response.

    Hope this helps,

    Ben

    0 讨论(0)
  • 离开以前
    2021-01-23 17:29

    You need an Azure AD application to be able to authenticate with Graph API. A native Azure AD app and the flow and considerations described here work for ADAL.net. I use it to provision Microsoft Teams unattended: http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

    I guess for Python you should have a look at ADAL for Python: https://github.com/introp-software/azure-activedirectory-library-for-python-old/blob/master/README.md

    I think that the username/password auth is only possible with a native Azure AD app and not the web/web api types.

    0 讨论(0)
  • 生来不讨喜
    2021-01-23 17:34

    Assuming you have registered and configured (api permissions) your azure app and you have copied the apps "client id" and "client secret" you can define a class that holds your session. The following code works for my app:

    import json
import requests
from requests_oauthlib import OAuth2Session
from oauthlib.oauth2 import BackendApplicationClient


class SharepointSession(object):
    """ Base Class without credentials, use real credentials in derived Classes
    or instances
    """
    api_uri = "https://graph.microsoft.com"
    api_version = "v1.0"
    scope = ["https://graph.microsoft.com/.default"]
    directory_id = ""  # - tenant id
    token_url = "https://login.microsoftonline.com/{}/oauth2/v2.0/token"
    sites_url = "{}/{}/sites".format(api_uri, api_version)
    site = document_name = app_name = client_id = client_secret = ""
    site_id = None
    doc_id = None

    def __init__(self):
        """  """

    def getTokenizedSession(self):
        """
        OAuth2 to get access token
        First set up a backend client, mind to set grant_type
        build a OAuth2 Session with the client
        get access token

        Mind: python 3.x oauthlib requires scope params on more calls than py 2.x
        """
        client = BackendApplicationClient(
            client_id=self.client_id, scope=self.scope, grant_type="client_credentials")

        session = OAuth2Session(client=client, scope=self.scope)
        # fill access token
        token = session.fetch_token(token_url=self.token_url.format(self.directory_id),
                                    client_id=self.client_id,
                                    scope=self.scope,
                                    client_secret=self.client_secret)
        self.session = session
        self.token = token
        return session, token

    def getSiteId(self):
        # get the site id
        ae = "{}/myonline.sharepoint.com:/sites/{}:".format(
            self.sites_url, self.site)
        rt = self.session.get(ae)
        response = json.loads(rt.text)
        self.site_id = response.get("id")
        return self.site_id

    def someOtherMethod(self):
        """         ...             """

    Now you can instantiate the session class with the credentials copied from your azure app registration i.e. "directory id" (same as tenant id), "client id" and "client secret" like this:

    mysp_session = SharepointSession()
mysp_session.directory_id = "XXXXXXXX-XXXX-YYYY-ZZZZ-XXXXXXXXX"
mysp_session.site = "MySitename"
mysp_session.document_name = "Testlist"
mysp_session.client_id = r"xxxxxxxxxxxxxxxxxxxxxxx"
mysp_session.client_secret = r"xxxxxxxxxxxxxxxxxxxxxxx"

# connect 
session, token = mysp_session.getTokenizedSession()

# do your business logic
mysp_session.getSiteId()
....
mysp_session.someOtherMethod()

    hope that helps

    0 讨论(0)
 看不清?
提交回复
热议问题