问题描述

我花了一些时间玩Azure AD OAuth 2.0.

I spent some time playing around with Azure AD OAuth 2.0.

与范围https://outlook.office.com/mail.read一起获得的访问令牌与Microsoft Graph一起使用时会抛出401 Unauthorized.

An access token obtained with scope https://outlook.office.com/mail.read throws 401 Unauthorized when used with Microsoft Graph.

类似地，当与Outlook REST API端点一起使用时，使用范围https://graph.microsoft.com/mail.read获取的访问令牌将抛出401 Unauthorized.

Similarly, an access token obtained with scope https://graph.microsoft.com/mail.read throws 401 Unauthorized when used with Outlook REST API endpoints.

此外，如果在授权用户时同时提到两个范围，也会出现错误.

Also, I get an error if I mention both the scopes while authorizing a user.

是否可以具有允许访问Microsoft Graph和Outlook REST API终结点的访问令牌?

Is it possible to have access tokens that allow access to both Microsoft Graph and Outlook REST API endpoints?

我正在构建一个电子邮件应用程序.最初，我将构建基本功能，例如同步/发送电子邮件.

I am building an emailing app. Initially, I will build basic features like syncing/sending emails.

我将使用Microsoft Graph，因为它支持我目前需要的所有内容，并且 Microsoft建议在单个服务API端点上使用.

I will be using Microsoft Graph, since it supports all that I need presently and Microsoft recommends it over individual service API endpoints.

我担心未来.我现在将获得的OAuth访问令牌的作用域为https://graph.microsoft.com/mail.read.将来，Microsoft Graph不支持我要构建的新功能，但Outlook REST API终结点支持该功能.在这种情况下，我想使用Outlook REST API端点.

I am worried about future. The OAuth access tokens that I will obtain at present will have scope https://graph.microsoft.com/mail.read. In future, it may happen that a new feature I want to build is not supported by Microsoft Graph but it is supported By Outlook REST API endpoints. At such time I would want to use the Outlook REST API endpoints.

我是否必须为每个用户维护两组OAuth访问令牌?另外，要求每个用户重新进行身份验证也不是一个好主意.

Do I have to maintain two sets of OAuth access token for every user? Also asking every user to re-auth is not a good idea.

推荐答案

是的，您可以使用RefreshToken来获取访问令牌，该访问令牌具有与您请求图形访问(范围)时所授权的作用域相同的作用域.

Yes, you can use the RefreshToken to get an AccessToken to the individual endpoints with the same scopes as authorized when you requested the graph access (scopes).

例如如果您请求Mail.Read(https://graph.microsoft.com/mail.read的缩写)，则可以使用带有scope="https://outlook.office.com/mail.read"的refresh_token返回令牌发行端点，并获取该端点的accesss_token.

E.g. If you requested Mail.Read (shortname for https://graph.microsoft.com/mail.read) you can get back to the token issuing endpoint with the refresh_token with scope="https://outlook.office.com/mail.read" and get an accesss_token for this endpoint.

这篇关于获取Microsoft Graph和单个服务API端点(Outlook REST API等)的访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！