问题描述

我希望我的服务器应用程序使用 Microsoft Graph 与它自己的 Excel 文件进行交互.也就是说，文件属于应用程序，而不是应用程序的特定用户.

我已经使用 Azure ID 注册了一个应用程序，并授予了 Microsoft Graph 的对用户可以访问的所有文件具有完全访问权限"权限.

我正在尝试使用 OAuth 资源所有者密码凭据授予.

我可以获得这样的授权令牌:

POST https://login.microsoftonline.com/common/oauth2/token内容类型:application/x-www-form-urlencodedgrant_type=密码&resource=https://graph.microsoft.com&client_id=<在 Azure AD 中注册的应用程序 ID>&username=<微软用户名>&password=<password>&scope=Files.ReadWrite.All

但响应只表明范围User.Read:

{"token_type": "承载者","scope": "User.Read","expires_in": "3600",ext_expires_in":0"，"expires_on": "1494467388",not_before":1494463488"，资源":https://graph.microsoft.com"，"access_token": "eyJ0e...","refresh_token": "AQAB..."}

当我尝试列出帐户的 One Drive 中的文件时，我没有收到错误消息，但响应中不包含任何项目:

请求:获取 https://graph.microsoft.com/v1.0/me/drive/root/children授权:承载eyJ0e...回复:{"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",价值": []}

当我在使用相同帐户登录时在 Graph Explorer 中发出相同请求时，响应包括该帐户的一个驱动器根目录中的所有项目.

我了解 Microsoft Graph 当前不支持仅应用程序文件访问，当通过 OAuth 客户端凭据授予授权时(根据

请尝试在授予对所有用户具有完全访问权限"后点击必需权限"选项卡中的Grant Permissions(最好使用管理员帐户)文件用户可以访问"Microsoft Graph 的权限:

使用资源所有者密码流程获取令牌后，您将在 scp 声明中找到 Files.ReadWrite.All.然后你可以调用 microsoft graph api 来列出文件.

更新

这是我如何使资源所有者流程工作的步骤:

1. 注册本机应用，为Microsoft Graph添加对用户可以访问的所有文件具有完全访问权限"委托权限(不要点击grant permissions按钮，如上图所示).使用 Resource Owner Password Credentials Grant 并获取访问令牌，仅在 scp 声明中找到 User.Read :

   POST

   I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.

   I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.

   I am trying to use OAuth Resource Owner Password Credentials Grant.

   I can get an authorization token like this:

   POST https://login.microsoftonline.com/common/oauth2/token
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=password
   &resource=https://graph.microsoft.com
   &client_id=<ID of application registered with Azure AD>
   &username=<Microsoft username>
   &password=<password>&scope=Files.ReadWrite.All
   

   But the response only indicates scope User.Read:

   {
     "token_type": "Bearer",
     "scope": "User.Read",
     "expires_in": "3600",
     "ext_expires_in": "0",
     "expires_on": "1494467388",
     "not_before": "1494463488",
     "resource": "https://graph.microsoft.com",
     "access_token": "eyJ0e...",
     "refresh_token": "AQAB..."
   }
   

   And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:

   Request:
   GET https://graph.microsoft.com/v1.0/me/drive/root/children
   Authorization: bearer eyJ0e...
   
   Response:
   {
     "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
     "value": []
   }
   

   When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.

   I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.

   Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?

   If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?

   UPDATE:

   I have had administrator permissions assigned to the account I am using, and re-set the application permissions for Microsoft Graph in the Azure Portal, but it still is not working for me.

   Here are details of the account I am using:

   解决方案

   Please try to click Grant Permissions(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph:

   After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All in scp claims . Then you could call microsoft graph api to list files .

   Update

   Here is the steps how i make the resource owner flow work :

   1. register a native app , Add the "Have full access to all files user can access" delegate permission for Microsoft Graph(don't click grant permissions button as above picture shown) . using Resource Owner Password Credentials Grant and get the access token ,only find User.Read in scp claim :

      POST https://login.microsoftonline.com/common/oauth2/tokenContent-Type: application/x-www-form-urlencodedgrant_type=password&client_id=XXXXXXXXXX&resource=https://graph.microsoft.com/&username=XXXXXX&password=XXXXXXX

   2. click grant permissions button as above picture shown , using Resource Owner Password Credentials Grant and get the access token ,you could find Files.ReadWrite.All User.Read in scp claim :

   这篇关于如何在没有用户交互的情况下授权服务使用 Microsoft Graph 用户帐户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！