Office 365 unified API (preview) requests 401 error

问题

I'm trying to make some intersting things with Office 365 unified API (preview) and stuck on the moment with authorization. I made app with all permissions that I need

I'm trying to log in users with URL "https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={CLIENT_ID}&resource=https://graph.microsoft.com/"

Evething works well.

I even can get access_token with all scopes by request to https://login.windows.net/common/oauth2/token.

BUT! I have problem, I cant get any information about user and cant get his files.

I tried to make requests like this:

I always just get HTTP status 401 Unauthorized.

What am I doing wrong?

ALSO Question about possibilities with unified API. My target is to upload large files (up to 1GB). Is it possible with unified API? I can't find anything in documentation, but I found that it is not possible with OneDrive for Business API (max file size is 100MB).

回答1:

So struggled with the exact same problem earlier today: always got 401 Unauthorized or other errors. Then I ran across this answer: Building a multi-tenant app for SharePoint Online O365

That was it: it is extremely counter-intuitive but the answer was that after getting a token for the discovery URL and performing the service discovery you need to fetch the token for each serviceResourceId you want to call. There are two hugely important points here that almost 8 hours of reading documentation do not make blatantly clear.

EVERY SERVICE RESOURCE ID HAS A DIFFERENT TOKEN

The first point is very confusing: I'm assuming its done this way because individual tenant apps are run on separate clusters and Microsoft has opted not to have a single authority service. Every single other implementation that does multi-tenant (for example, the Google Apps implementation) gives you a single token that wraps ALL your permissions into a single ball.

YOU CAN CALL THE TOKEN RETRIEVAL SERVICE MULTIPLE TIMES WITH THE SAME CODE

This is INCREDIBLY counter-intuitive (I'm using bold caps on purpose). There are simply no other OAuth2 services anywhere else on the Internet (and I've personally written code for easily 30 OAuth2 implementations) where you can call the token retrieval service multiple times with the same code and not receive an error. This goes completely against all default expectations and it is a major documentation failure that its not more clearly spelled out as a deviation from standard practice.

I'll say that again: no where else on the entire Internet can you actually use the same OAuth2 code more than once to retrieve an access token. This is something that should be called out PROMINENTLY on the documentation and simply isn't.

If you continue to have this problem you should do this with the OAuth2 code returned:

1. Get an access token token using the code and adding the request parameter "resource" = "https://api.office.com/discovery/" (the closing slash is important)
2. Call the url https://api.office.com/discovery/v2.0/me/services" using the Authorization header set to the token received in step #1. This will return a JSON object, with a value field. The value field will be an array of services that this code will return access tokens for. Each object in the value array will have a serviceResourceId property.
3. For each object you will have to get another access token using the SAME code you used in step #1 but with the resource set to the serviceResourceId.

The code from step #3 will actually grant you access to the tenant endpoint you want. 3.

回答2:

I would try changing the "Accept" header to "application/json;odata.metadata=minimal". odata.metadata=none does not appear in the list of supported MIME types for the Unified API.

The supported type(s) as returned in Fiddler 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false, application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=true, application/json;odata.metadata=minimal;odata.streaming=true, application/json;odata.metadata=minimal;odata.streaming=false;IEEE754Compatible=false, application/json;odata.metadata=minimal;odata.streaming=false;IEEE754Compatible=true, application/json;odata.metadata=minimal;odata.streaming=false, application/json;odata.metadata=minimal;IEEE754Compatible=false, application/json;odata.metadata=minimal;IEEE754Compatible=true, application/json;odata.metadata=minimal, application/json;odata.metadata=full;odata.streaming=true;IEEE754Compatible=false, application/json;odata.metadata=full;odata.streaming=true;IEEE754Compatible=true, application/json;odata.metadata=full;odata.streaming=true, application/json;odata.metadata=full;odata.streaming=false;IEEE754Compatible=false, application/json;odata.metadata=full;odata.streaming=false;IEEE754Compatib...' do not match any of the acceptable MIME types 'application/json; odata=verbose'

来源：https://stackoverflow.com/questions/31640963/office-365-unified-api-preview-requests-401-error