问题
I am in a bit of confusion how to get a bearer token that will work for a sharepoint sites as well as the graph api.
We are using MFA (Multi factor authentication) so we get a text message when the user tries to login. This all works and we get a token back but the resource I am pointing to is https://srmukdev.sharepoint.com/, how can we use this token to access the https://graph.microsoft.com/ api.
At the moment it doesn't work. I can make separate login requests, but we dont want to do this as it's required to access both parts with the same token? is there a method that can translate one token to another? something that works at least?
You can see the current difference is the ResourceUrl
The sharepoint api details I use
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="srmukdev.onmicrosoft.com" />
<add key="ida:ApplicationId" value="000000-0000-0000-0000-0000000" />
<add key="ida:RedirectUri" value="http://someuri/" />
<add key="ida.ResourceUrl" value="https://srmukdev.sharepoint.com/" />
The graph api details I use
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="srmukdev.onmicrosoft.com" />
<add key="ida:ApplicationId" value="000000-0000-0000-0000-0000000" />
<add key="ida:RedirectUri" value="http://someuri/" />
<add key="ida.ResourceUrl" value="https://graph.microsoft.com/" />
Many thanks
回答1:
Let's start by saying that you cannot get a token which will work for both the Microsoft Graph API and the SharePoint API directly. Tokens are created with specific audiences, and as a part of token validation by the Web API, they will check that the audience of the token matches their unique identifier.
I think one possible solution here is to realize that the Microsoft Graph token already gives you access to the SharePoint API. See the documentation here. You should be able to get a token for just the Microsoft Graph, and then use the Microsoft Graph specific endpoints to get data from your SharePoint. This is one of the problems the Microsoft Graph is trying to solve. A single endpoint and token to access all of your Microsoft data.
Another solution is to use the authorization code you receive to request two tokens to the two different endpoints. Depending on what libraries you are using, and the specific flow you are following, this may be harder than not to accomplish, but in general, the authorization code grant flow is used to sign in a user. After the user is redirected to the Microsoft Login Page, and then successfully signs in, your service receives an authorization code, which it then exchanges for an access token using the Token Endpoint. This authorization code can be used to get an access token for any resource the client has been configured to call, so you can call the token endpoint twice, with two different resource values, and get back two access tokens. I do this in one of my Python/Flask samples.
Finally, assuming you got back an access token and refresh token for a particular resource, you could then use the refresh token to get a token for a different resource the app has been authorized for.
The refresh token issued by Azure AD can be used to access multiple resources. For example, if you have a client application that has permission to call two web APIs, the refresh token can be used to get an access token to the other web API as well.
See here for a look at how to do this.
来源:https://stackoverflow.com/questions/45544892/azure-active-directory-sharepoint-graph-api