获取 EWS 的访问令牌和 User.Read.All
Get access token to EWS and User.Read.All
我尝试获取以下范围的访问令牌:“https://outlook.office.com/EWS.AccessAsUser.All”,'User.Read.All'。
- 如果我使用下面的URL获取授权码:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=https%3A%2F%2Foutlook.office.com%2FEWS.AccessAsUser.All+User.Read.All&client_id=AAA...ZZZ&redirect_uri=http%3A%2F%2Flocalhost%3A9999&response_type=code
访问令牌响应是:
{
'scope': 'https://outlook.office.com/EWS.AccessAsUser.All https://outlook.office.com/User.Read https://outlook.office.com/User.Read.All',
'ext_expires_in': 3599,
'expires_in': 3599,
'token_type': 'Bearer',
'access_token': '123...zzz'
}
请注意回复中的范围。
此访问令牌可在 EWS 请求中正常工作而不会出现错误。但是请求 MS Graph API return:
{
"error": {
"code": "InvalidAuthenticationToken",
"innerError": {
"date": "2020-02-15T19:45:50",
"request-id": "4542b743-05e1-4555-b612-e0419c3b624b"
},
"message": "Access token validation failure. Invalid audience."
}
}
- 如果我使用以下 URL 获取授权码:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A9999&client_id=AAA...ZZZ&scope=User.Read.All+https%3A%2F%2Foutlook.office.com%2FEWS.AccessAsUser.All&response_type=code 访问令牌响应为:
{
'scope': 'EWS.AccessAsUser.All User.Read User.Read.All profile openid email',
'ext_expires_in': 3599,
'access_token': '0123...zzz',
'token_type': 'Bearer',
'expires_in': 3599
}
再次提醒,请注意回复中的范围。
此访问令牌可在 MS Graph 请求中正常工作而不会出现错误。但是 EWS 请求 return 错误:
Error: Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. The remote server returned an error: (401) Unauthorized. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
- MSAL 在这种情况下也不起作用。
var pcaOptions = new PublicClientApplicationOptions
{
ClientId = _appId,
TenantId = _tenantId
};
var pca = PublicClientApplicationBuilder.CreateWithApplicationOptions(pcaOptions).Build();
var ewsScopes = new string[] { "User.Read.All", "https://outlook.office.com/EWS.AccessAsUser.All" };
var authResult = await pca.AcquireTokenInteractive(ewsScopes).ExecuteAsync();
foreach (var s in authResult.Scopes)
{
Console.WriteLine($"Scope: {s}");
}
如果 https://outlook.office.com/EWS.AccessAsUser.All 在范围列表中,则访问令牌适用于 EWS 请求。对 MS Graph 的请求 returns 错误:
Error: Status Code: Unauthorized
Microsoft.Graph.ServiceException: Code: InvalidAuthenticationToken
Message: Access token validation failure. Invalid audience.
根据您提供的信息,您想要请求访问令牌以调用 Microsoft Graph 和 Outlook Rest API,并且您使用一个请求为两个 API 请求访问令牌。但我们不能那样做。因为 Microsoft 提供的所有身份验证流程都不允许多个 Resource/Scope 而您会请求令牌 。换句话说,一个请求就可以请求 Microsoft graph 或 Outlook Rest API 的访问令牌。详情请参考Accessing Multiple resources in a single authorization request
我尝试获取以下范围的访问令牌:“https://outlook.office.com/EWS.AccessAsUser.All”,'User.Read.All'。
- 如果我使用下面的URL获取授权码:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=https%3A%2F%2Foutlook.office.com%2FEWS.AccessAsUser.All+User.Read.All&client_id=AAA...ZZZ&redirect_uri=http%3A%2F%2Flocalhost%3A9999&response_type=code访问令牌响应是:
{
'scope': 'https://outlook.office.com/EWS.AccessAsUser.All https://outlook.office.com/User.Read https://outlook.office.com/User.Read.All',
'ext_expires_in': 3599,
'expires_in': 3599,
'token_type': 'Bearer',
'access_token': '123...zzz'
}
请注意回复中的范围。 此访问令牌可在 EWS 请求中正常工作而不会出现错误。但是请求 MS Graph API return:
{
"error": {
"code": "InvalidAuthenticationToken",
"innerError": {
"date": "2020-02-15T19:45:50",
"request-id": "4542b743-05e1-4555-b612-e0419c3b624b"
},
"message": "Access token validation failure. Invalid audience."
}
}
- 如果我使用以下 URL 获取授权码:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A9999&client_id=AAA...ZZZ&scope=User.Read.All+https%3A%2F%2Foutlook.office.com%2FEWS.AccessAsUser.All&response_type=code访问令牌响应为:
{
'scope': 'EWS.AccessAsUser.All User.Read User.Read.All profile openid email',
'ext_expires_in': 3599,
'access_token': '0123...zzz',
'token_type': 'Bearer',
'expires_in': 3599
}
再次提醒,请注意回复中的范围。 此访问令牌可在 MS Graph 请求中正常工作而不会出现错误。但是 EWS 请求 return 错误:
Error: Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. The remote server returned an error: (401) Unauthorized. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
- MSAL 在这种情况下也不起作用。
var pcaOptions = new PublicClientApplicationOptions
{
ClientId = _appId,
TenantId = _tenantId
};
var pca = PublicClientApplicationBuilder.CreateWithApplicationOptions(pcaOptions).Build();
var ewsScopes = new string[] { "User.Read.All", "https://outlook.office.com/EWS.AccessAsUser.All" };
var authResult = await pca.AcquireTokenInteractive(ewsScopes).ExecuteAsync();
foreach (var s in authResult.Scopes)
{
Console.WriteLine($"Scope: {s}");
}
如果 https://outlook.office.com/EWS.AccessAsUser.All 在范围列表中,则访问令牌适用于 EWS 请求。对 MS Graph 的请求 returns 错误:
Error: Status Code: Unauthorized
Microsoft.Graph.ServiceException: Code: InvalidAuthenticationToken
Message: Access token validation failure. Invalid audience.
根据您提供的信息,您想要请求访问令牌以调用 Microsoft Graph 和 Outlook Rest API,并且您使用一个请求为两个 API 请求访问令牌。但我们不能那样做。因为 Microsoft 提供的所有身份验证流程都不允许多个 Resource/Scope 而您会请求令牌 。换句话说,一个请求就可以请求 Microsoft graph 或 Outlook Rest API 的访问令牌。详情请参考Accessing Multiple resources in a single authorization request