Microsoft Graph API 委派权限
Microsoft Graph API delegated permission
我想代表用户使用 Graph API 授权我的应用程序(python 脚本)。我使用 this document 作为参考。
关注:
我想在 python 完成。我是否有可能使用请求模块并请求授权码。这将自动打开浏览器,用户将被要求输入凭据,一旦 he/she 通过身份验证,脚本将自动接收授权代码。然后我将使用脚本中的授权代码来获取访问令牌。
谢谢。
是的,这绝对有可能。我在 GitHub sample here.
中执行这些步骤
一些相关的代码片段:
authentication.py
# External Python Libraries Used:
import requests
# Our Python Functions:
import appconfig as g
# Create headers for REST queries. Used for both ARM and AAD Graph API queries.
def create_headers(access_token):
return {
'Authorization': 'Bearer ' + access_token,
'Accept': 'application/json',
'Content-Type': 'application/json'
}
### Start of Authorization Code Grant Flow Authentication
# Note for the Authorization Code Grant Flow, we use the 'common' endpoint by default, rather than specifying a tenant.
# Generate AAD Login URL
def login_url(state, redirect_uri, tenant_id='common'):
params = {
'url': g.aad_endpoint + tenant_id + '/oauth2/authorize',
'response_type': 'code',
'client_id': g.clientId,
'redirect_uri': redirect_uri,
'state': state
}
# You can add additional querystrings here if you want to do things like force login or prompt for consent
login_url = '%(url)s?response_type=%(response_type)s&client_id=%(client_id)s&redirect_uri=%(redirect_uri)s&state=%(state)s' %params
# Return URL
return login_url
# Get Access Token using Authorization Code
def get_access_token_code(code, redirect_uri, resource, tenant_id='common'):
payload = {
'client_id': g.clientId,
'code': code,
'grant_type': 'authorization_code',
'redirect_uri': redirect_uri,
'resource': resource,
'client_secret': g.clientSecret
}
token_endpoint = g.aad_endpoint + tenant_id + '/oauth2/token'
r = requests.post(token_endpoint, data=payload)
# Return raw Access Token
return r.json()['access_token']
### End of Authorization Code Grant Flow Authentication
### Start of Client Credential Flow Authentication
# Note that we need to specify Tenant ID for these App Only Tokens. If you use the 'common' endpoint, it will choose the tenant where the app is registered.
def get_access_token_app(resource, tenant_id):
payload = {
'client_id': g.clientId,
'grant_type': 'client_credentials',
'resource': resource,
'client_secret': g.clientSecret
}
token_endpoint = g.aad_endpoint + tenant_id + '/oauth2/token'
r = requests.post(token_endpoint, data=payload)
# Return raw Access Token
return r.json()['access_token']
views.py
# Login Page for both Customer and Partner
@app.route('/<string:user_type>/login', methods = ['POST', 'GET'])
def login(user_type):
# Check if there is already a token in the session
if ('access_token_arm' in session) and ('access_token_graph' in session):
return redirect(url_for(user_type))
# Use State Parameter to help mitigate XSRF attacks
guid = uuid.uuid4()
session['state'] = guid
# Need to send the full Redirect URI, so we use _external to add root domain
redirect_uri = login_url(session['state'], url_for('authorized', user_type=user_type, _external=True))
return redirect(redirect_uri, code=301)
# Logout page which scrubs all the session data.
@app.route('/logout', methods = ['POST', 'GET'])
def logout():
session.clear()
return redirect(url_for('index'))
# Recieve the Authorization Code, and exchange it for Access Tokens to both ARM and AAD Graph API
@app.route('/<string:user_type>/login/authorized')
def authorized(user_type):
#Capture code in the URL
code = request.args['code']
# Check that the state variable was not touched
if str(session['state']) != str(request.args['state']):
raise Exception('State has been messed with, end authentication')
redirect_uri = url_for('authorized', user_type=user_type, _external=True)
session['access_token_arm'] = get_access_token_code(code, redirect_uri, g.resource_arm)
session['access_token_graph'] = get_access_token_code(code, redirect_uri, g.resource_graph)
# Return user to their appropriate landing page
return redirect(url_for(user_type))
graph.py
# Get tenant details for the signed in user. We only return Tenant Display Name and Tenant ID, but more information can be accessed if necessary.
def get_tenant_details(access_token):
headers = create_headers(access_token)
params = {
'url': g.resource_graph,
'api_version': g.api_version_graph
}
# Note we are using the "myorganization" endpoint, which figures out tenant information from the claims in the access token
tenant_details_url = '%(url)s/myorganization/tenantDetails?api-version=%(api_version)s' %params
r = requests.get(tenant_details_url, headers=headers)
#Return Tenant Display Name String and Tenant ID GUID
return r.json()['value'][0]['displayName'], r.json()['value'][0]['objectId']
# Get user details for the signed in user. We only return the User Principal Name (username) of the user, but more information can be accessed if necessary.
def get_user_details(access_token):
headers = create_headers(access_token)
params = {
'url': g.resource_graph,
'api_version': g.api_version_graph
}
# Note we are using the "me" endpoint, which figures out tenant and user information from the claims in the access token
user_details_url = '%(url)s/me?api-version=%(api_version)s' %params
r = requests.get(user_details_url, headers=headers)
# Return Username String for user.
return r.json()['userPrincipalName']
我想代表用户使用 Graph API 授权我的应用程序(python 脚本)。我使用 this document 作为参考。
关注: 我想在 python 完成。我是否有可能使用请求模块并请求授权码。这将自动打开浏览器,用户将被要求输入凭据,一旦 he/she 通过身份验证,脚本将自动接收授权代码。然后我将使用脚本中的授权代码来获取访问令牌。
谢谢。
是的,这绝对有可能。我在 GitHub sample here.
中执行这些步骤一些相关的代码片段:
authentication.py
# External Python Libraries Used:
import requests
# Our Python Functions:
import appconfig as g
# Create headers for REST queries. Used for both ARM and AAD Graph API queries.
def create_headers(access_token):
return {
'Authorization': 'Bearer ' + access_token,
'Accept': 'application/json',
'Content-Type': 'application/json'
}
### Start of Authorization Code Grant Flow Authentication
# Note for the Authorization Code Grant Flow, we use the 'common' endpoint by default, rather than specifying a tenant.
# Generate AAD Login URL
def login_url(state, redirect_uri, tenant_id='common'):
params = {
'url': g.aad_endpoint + tenant_id + '/oauth2/authorize',
'response_type': 'code',
'client_id': g.clientId,
'redirect_uri': redirect_uri,
'state': state
}
# You can add additional querystrings here if you want to do things like force login or prompt for consent
login_url = '%(url)s?response_type=%(response_type)s&client_id=%(client_id)s&redirect_uri=%(redirect_uri)s&state=%(state)s' %params
# Return URL
return login_url
# Get Access Token using Authorization Code
def get_access_token_code(code, redirect_uri, resource, tenant_id='common'):
payload = {
'client_id': g.clientId,
'code': code,
'grant_type': 'authorization_code',
'redirect_uri': redirect_uri,
'resource': resource,
'client_secret': g.clientSecret
}
token_endpoint = g.aad_endpoint + tenant_id + '/oauth2/token'
r = requests.post(token_endpoint, data=payload)
# Return raw Access Token
return r.json()['access_token']
### End of Authorization Code Grant Flow Authentication
### Start of Client Credential Flow Authentication
# Note that we need to specify Tenant ID for these App Only Tokens. If you use the 'common' endpoint, it will choose the tenant where the app is registered.
def get_access_token_app(resource, tenant_id):
payload = {
'client_id': g.clientId,
'grant_type': 'client_credentials',
'resource': resource,
'client_secret': g.clientSecret
}
token_endpoint = g.aad_endpoint + tenant_id + '/oauth2/token'
r = requests.post(token_endpoint, data=payload)
# Return raw Access Token
return r.json()['access_token']
views.py
# Login Page for both Customer and Partner
@app.route('/<string:user_type>/login', methods = ['POST', 'GET'])
def login(user_type):
# Check if there is already a token in the session
if ('access_token_arm' in session) and ('access_token_graph' in session):
return redirect(url_for(user_type))
# Use State Parameter to help mitigate XSRF attacks
guid = uuid.uuid4()
session['state'] = guid
# Need to send the full Redirect URI, so we use _external to add root domain
redirect_uri = login_url(session['state'], url_for('authorized', user_type=user_type, _external=True))
return redirect(redirect_uri, code=301)
# Logout page which scrubs all the session data.
@app.route('/logout', methods = ['POST', 'GET'])
def logout():
session.clear()
return redirect(url_for('index'))
# Recieve the Authorization Code, and exchange it for Access Tokens to both ARM and AAD Graph API
@app.route('/<string:user_type>/login/authorized')
def authorized(user_type):
#Capture code in the URL
code = request.args['code']
# Check that the state variable was not touched
if str(session['state']) != str(request.args['state']):
raise Exception('State has been messed with, end authentication')
redirect_uri = url_for('authorized', user_type=user_type, _external=True)
session['access_token_arm'] = get_access_token_code(code, redirect_uri, g.resource_arm)
session['access_token_graph'] = get_access_token_code(code, redirect_uri, g.resource_graph)
# Return user to their appropriate landing page
return redirect(url_for(user_type))
graph.py
# Get tenant details for the signed in user. We only return Tenant Display Name and Tenant ID, but more information can be accessed if necessary.
def get_tenant_details(access_token):
headers = create_headers(access_token)
params = {
'url': g.resource_graph,
'api_version': g.api_version_graph
}
# Note we are using the "myorganization" endpoint, which figures out tenant information from the claims in the access token
tenant_details_url = '%(url)s/myorganization/tenantDetails?api-version=%(api_version)s' %params
r = requests.get(tenant_details_url, headers=headers)
#Return Tenant Display Name String and Tenant ID GUID
return r.json()['value'][0]['displayName'], r.json()['value'][0]['objectId']
# Get user details for the signed in user. We only return the User Principal Name (username) of the user, but more information can be accessed if necessary.
def get_user_details(access_token):
headers = create_headers(access_token)
params = {
'url': g.resource_graph,
'api_version': g.api_version_graph
}
# Note we are using the "me" endpoint, which figures out tenant and user information from the claims in the access token
user_details_url = '%(url)s/me?api-version=%(api_version)s' %params
r = requests.get(user_details_url, headers=headers)
# Return Username String for user.
return r.json()['userPrincipalName']