与我在 Microsoft Graph 中使用 requests_oauthlib 请求的范围不同

Different scopes than I requested with requests_oauthlib in Microsoft Graph

我正在创建一个 Python 脚本以使用 requests_oauthlib 库使用 Microsoft Graph API 服务。我能够成功创建 OAuth2.0 会话,获得授权 URL 在互联网浏览器中打开 window 进行身份验证,然后我被重定向到我之前的重定向 URL当我在 Azure 门户中注册我的应用程序时指出(https://portal.azure.com). Then I copy the full redirect URL to paste into my application. At that point, my app reads the URL that I pasted, exchanges the authentication code that is embedded in the URL for an OAuth authentication token that is perfectly valid. To make sure, I check it in https://jwt.ms,除了授予的范围外,它是完美的。这些范围与我在 OAuth 会话中请求的范围不匹配。

脚本代码

# details from the library can be found at https://pypi.org/project/requests-oauthlib/
from requests_oauthlib import OAuth2Session 

client_id = <the client id from the Azure Portal when I registered my app>
client_secret = <the client secret I got from the Azure Portal>
redirect_uri = <the redirect_uri that I specified in the Azure Portal>
authorization_base_url = 'https://login.microsoftonline.com/<my tenant code>/oauth2/v2.0/authorize'
token_url = 'https://login.microsoftonline.com/<my tenant code>/oauth2/v2.0/token'
scopes = ["https://graph.microsoft.com/User.Read", "https://graph.microsoft.com/offline_access"]

# OAuth2.0 Authentication
msgraph = OAuth2Session(client_id, scope = scopes, redirect_uri=redirect_uri) # creates a OAuth 2.0 session object

# Redirect user to microsoft for authorization
# offline for refresh token
# force to always make user click authorize
authorization_url, state = msgraph.authorization_url(authorization_base_url, access_type="offline", prompt="select_account")

print('Please go here and authorize,', authorization_url) # user needs to click on this URL, authenticate and copy the URL that will be given

# Get the authorization verifier code from the callback url
redirect_response = input('Paste the full redirect URL here: ') # the user has to paste the url with the authorizaton code provided after authenticating
print('redirect_response: ', redirect_response)

# Fetches the access token AFTER the authentication code was given in the previous step
token = msgraph.fetch_token(token_url, client_secret=client_secret, authorization_response=redirect_response) # gets the access token
print('token: ', token)

但我收到以下警告消息:

Warning: Scope has changed from "https://graph.microsoft.com/User.Read https://graph.microsoft.com/offline_access" to "profile https://graph.microsoft.com/User.Read openid email".

API Azure 门户中的权限

微软图表 (2) Files.ReadWrite.All offline_access

正如您在上面的 Azure 权限中看到的那样,Azure 门户中的权限(范围)与我请求的范围完全相同,所以我的问题是这些'openid' 和 'email' 作用域从何而来?我已经能够克服警告消息,但我无法请求我需要的权限。我什至在 Azure 门户中创建了一个全新的应用程序,但我遇到了同样的问题。 requests_oauthlib 库有问题还是我做错了什么?

谢谢

在请求范围时,您不需要 Graph 范围的完全限定域名 (FQDN)(它们是默认设置)并且您不应该将它们用于非图形范围(openidprofileemailoffline_access 是 OpenID/AAD 范围,而不是图形)。

scopes = ["User.Read", "offline_access"]