403:forbidden 使用 Microsoft Graph 从服务器端应用程序读取邮件时
403:forbidden when reading mails from server side application using Microsoft Graph
我正在开发一个服务器端应用程序来从我们的 Office 365 检索电子邮件、过滤电子邮件并将其存储在我们的数据库中而无需用户登录。如果您想查看一些详细信息, 是我之前问题的 link。
我有以下方法
@Test
public void testGetAccessTokenDeamon() throws Exception {
String tenant="f0245-fd24-r3s-be8a-7745gra60be3";
String authority = "https://login.windows.net/"+tenant+"/oauth2/authorize";
ExecutorService service=null;
service= Executors.newFixedThreadPool(1);
try{
AuthenticationContext authenticationContext= new AuthenticationContext(authority,false,service);
String certFile="/mycert.pfx";
InputStream pkcs12Cert= new SharedFileInputStream(certFile);
AsymmetricKeyCredential credential=AsymmetricKeyCredential.create("g564f4-e53c-45b7-938a-gt6445gy667",pkcs12Cert,"passwd");
Future<AuthenticationResult> future=authenticationContext.acquireToken("https://graph.microsoft.com",credential,null);
System.out.println("Token Received"+future.get().getAccessToken());
String token = future.get().getAccessToken();
HttpGet httpGet = new HttpGet("https://graph.microsoft.com/v1.0/users");
httpGet.setHeader("Authorization", "Bearer "+token);
GraphServices graphServices = new GraphServices();
ResponseEntity<String> responseEntity;
responseEntity = graphServices.getEmails(token);
//HttpClient httpClient= HttpClients.createDefault();
//HttpResponse response=httpClient.execute(httpGet);
//HttpEntity entity=response.getEntity();
}
catch (MalformedURLException e){
e.printStackTrace();
}
catch (Exception e){
e.printStackTrace();
}
}
public ResponseEntity<String> getEmails(String accessToken) throws Exception
{
logger.info("In getEmails");
RestTemplate restTemplate = new RestTemplate();
HttpHeaders headers = new HttpHeaders();
HttpEntity<String> request;
headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
headers.add(AuthorizationConstants.AUTHORIZATION, AuthorizationConstants.BEARER + " " + accessToken);
request = new HttpEntity<String>(headers);
ResponseEntity<String> response = restTemplate.exchange("https://graph.microsoft.com/v1.0/users/abc@microsoft.com/messages", HttpMethod.GET, request, String.class);
return response;
}
如果我尝试在 restTemplate 中使用 https://graph.microsoft.com/v1.0/users/,我将获得一个用户列表,但对于特定用户,上面的代码 returns 403。
能否请您告诉我使用哪些端点,以便我的应用程序无需用户登录即可访问个人消息?我已经为该应用授予了所有必要的权限(委托和应用权限)。
UPDATE:这是我在 运行 http://jwt.calebb.net/ 上的令牌但找不到 scp/scope 部分时所拥有的。
{
typ: "JWT",
alg: "RS256",
x5t: "xxxxx_mfg5JKHrwLBbd_4s",
kid: "xxxxx_mfg5JKHrwLBbd_4s"
}.
{
aud: "https://graph.microsoft.com",
iss: "https://sts.windows.net/f456fyu44-df44-d3t3-f342-66423er4323/",
iat: 1473280446,
nbf: 1473280446,
exp: 1473284346,
appid: "4fw423gh-er423-45b7-zd32-3fwer2343szd",
appidacr: "2",
e_exp: 10800,
idp: "https://sts.windows.net/g0412253-aeb2-4a8a-ju76-8736272a3u7e3/",
oid: "33dd3455-0195-4708-rt44-34552321ds32d2",
sub: "33dd3455-0195-4708-813d-34552321ds32d2",
tid: "33dd3455-ae23-r456-be8a-7737cf4321d2e3",
ver: "1.0"
}.
[signature]
这是我为该应用授予的权限(目前所有权限)。
Microsoft Graph - 应用程序权限:18 - 委托权限:40
Windows Azure Active Directory - 应用程序权限:4 - 委派权限:8
Office 365 Exchange Online - 应用程序权限:9- 委派权限:30
I've already gave the app all permissions (delegate and app permissions) that are necessary.
情况可能并非如此:)。通常 403 forbidden 意味着您的令牌不具有您正在调用的 API 所需的范围(在 scp 声明中)。找出答案的简单方法:在调试器中获取令牌(它是一个很大的长 base64 字符串),然后转到 http://jwt.calebb.net/ 并将其粘贴进去。您会看到它已解码为 JSON 网络令牌.查找 roles 声明:
roles: [
"Calendars.Read",
"Mail.Read",
"Contacts.Read"
],
如果您没有 Mail.Read 或 Mail.ReadWrite,则您没有配置必要的权限。
我正在开发一个服务器端应用程序来从我们的 Office 365 检索电子邮件、过滤电子邮件并将其存储在我们的数据库中而无需用户登录。如果您想查看一些详细信息,
我有以下方法
@Test
public void testGetAccessTokenDeamon() throws Exception {
String tenant="f0245-fd24-r3s-be8a-7745gra60be3";
String authority = "https://login.windows.net/"+tenant+"/oauth2/authorize";
ExecutorService service=null;
service= Executors.newFixedThreadPool(1);
try{
AuthenticationContext authenticationContext= new AuthenticationContext(authority,false,service);
String certFile="/mycert.pfx";
InputStream pkcs12Cert= new SharedFileInputStream(certFile);
AsymmetricKeyCredential credential=AsymmetricKeyCredential.create("g564f4-e53c-45b7-938a-gt6445gy667",pkcs12Cert,"passwd");
Future<AuthenticationResult> future=authenticationContext.acquireToken("https://graph.microsoft.com",credential,null);
System.out.println("Token Received"+future.get().getAccessToken());
String token = future.get().getAccessToken();
HttpGet httpGet = new HttpGet("https://graph.microsoft.com/v1.0/users");
httpGet.setHeader("Authorization", "Bearer "+token);
GraphServices graphServices = new GraphServices();
ResponseEntity<String> responseEntity;
responseEntity = graphServices.getEmails(token);
//HttpClient httpClient= HttpClients.createDefault();
//HttpResponse response=httpClient.execute(httpGet);
//HttpEntity entity=response.getEntity();
}
catch (MalformedURLException e){
e.printStackTrace();
}
catch (Exception e){
e.printStackTrace();
}
}
public ResponseEntity<String> getEmails(String accessToken) throws Exception
{
logger.info("In getEmails");
RestTemplate restTemplate = new RestTemplate();
HttpHeaders headers = new HttpHeaders();
HttpEntity<String> request;
headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
headers.add(AuthorizationConstants.AUTHORIZATION, AuthorizationConstants.BEARER + " " + accessToken);
request = new HttpEntity<String>(headers);
ResponseEntity<String> response = restTemplate.exchange("https://graph.microsoft.com/v1.0/users/abc@microsoft.com/messages", HttpMethod.GET, request, String.class);
return response;
}
如果我尝试在 restTemplate 中使用 https://graph.microsoft.com/v1.0/users/,我将获得一个用户列表,但对于特定用户,上面的代码 returns 403。
能否请您告诉我使用哪些端点,以便我的应用程序无需用户登录即可访问个人消息?我已经为该应用授予了所有必要的权限(委托和应用权限)。
UPDATE:这是我在 运行 http://jwt.calebb.net/ 上的令牌但找不到 scp/scope 部分时所拥有的。
{
typ: "JWT",
alg: "RS256",
x5t: "xxxxx_mfg5JKHrwLBbd_4s",
kid: "xxxxx_mfg5JKHrwLBbd_4s"
}.
{
aud: "https://graph.microsoft.com",
iss: "https://sts.windows.net/f456fyu44-df44-d3t3-f342-66423er4323/",
iat: 1473280446,
nbf: 1473280446,
exp: 1473284346,
appid: "4fw423gh-er423-45b7-zd32-3fwer2343szd",
appidacr: "2",
e_exp: 10800,
idp: "https://sts.windows.net/g0412253-aeb2-4a8a-ju76-8736272a3u7e3/",
oid: "33dd3455-0195-4708-rt44-34552321ds32d2",
sub: "33dd3455-0195-4708-813d-34552321ds32d2",
tid: "33dd3455-ae23-r456-be8a-7737cf4321d2e3",
ver: "1.0"
}.
[signature]
这是我为该应用授予的权限(目前所有权限)。
Microsoft Graph - 应用程序权限:18 - 委托权限:40 Windows Azure Active Directory - 应用程序权限:4 - 委派权限:8 Office 365 Exchange Online - 应用程序权限:9- 委派权限:30
I've already gave the app all permissions (delegate and app permissions) that are necessary.
情况可能并非如此:)。通常 403 forbidden 意味着您的令牌不具有您正在调用的 API 所需的范围(在 scp 声明中)。找出答案的简单方法:在调试器中获取令牌(它是一个很大的长 base64 字符串),然后转到 http://jwt.calebb.net/ 并将其粘贴进去。您会看到它已解码为 JSON 网络令牌.查找 roles 声明:
roles: [
"Calendars.Read",
"Mail.Read",
"Contacts.Read"
],
如果您没有 Mail.Read 或 Mail.ReadWrite,则您没有配置必要的权限。