如何使用新的microsoft graph api创建身份验证令牌？

Question

I've been using this:

https://github.com/Azure-Samples/active-directory-php-graphapi-web.git

to access the graph api, which works. My azure AD registered application is able to query the API to get a list of users in the directory.

But now I want to list folders for a user in the directory. This page

http://graph.microsoft.io/docs

says the url should be:

https://graph.microsoft.com/v1.0/me/drive/root/children

When I use that url in my REST call, I get

"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: -2147184105"

Makes sense, it's getting a token from

https://graph.windows.net

So, I'm lost. There's so many different versions of the API, from the consumer grade onedrive (formerly skydrive), the first graph api (which I access via https://graph.windows.net ), the office 365 API (which I access via https://login.microsoftonline.com ) and now the graph api (formerly universal api https://graph.microsoft.com ) I just don't know where to begin to look for correct information.

I'm working in PHP at the moment, and I'm sure that's going to be pretty low on microsoft's list of supported platforms, but any direction about how the access token generation works in the newest api versus the o365 api versus the other graph api (at graph.windows.net) would be appreciated.

Is anybody else as confused as I am? Is there some central reference that explains all the differences between these apis and how to access them?

Answer 1

The Microsoft Graph should provide you with one endpoint (and token acquisition) to access data offered by Office 365 and Azure AD services. Please visit https://graph.microsoft.com for more details - but please use the v1.0 version as this is the GA version that is appropriate for production services.

As for your question about a service app with no user UI - you can get an app-only access token using the client_credential flow. (This is not currently documented in the Microsoft Graph documentation, but it is supported and described elsewhere - just set the resource to be https://graph.microsoft.com/ ). In the Azure Management Portal you'll need to select the "Application Permissions" that your app requires too. Currently app-only access to mail resources is supported, but app only access to one drive resources (through Microsoft graph) is not supported. We'll be looking to open that up shortly.

Hope this helps,

Answer 2

The endpoint of https://login.microsoftonline.com is Azure AD authorization endpoint which provides SSO page for users login on and authenticate & obtain an authorization code.

The others like https://graph.microsoft.com is a resource endpoint which is built on REST APIs and provides resources and services from Microsoft.

Specifically, to endpoint https://graph.windows.net , the explanation on official site is :

The Azure Active Directory Graph API provides programmatic access to Azure Active Directory through REST API endpoints. Apps can use the Azure AD Graph API to perform create, read, update, and delete (CRUD) operations on directory data and directory objects, such as users, groups, and organizational contacts. And https://graph.mircosoft.com is a unified API that also includes APIs from other Microsoft services like Outlook, OneDrive, OneNote, Planner, and Office Graph, all accessed through a single endpoint with a single access token.

Refer to AD Graph REST for more information.

To integrate office 365 via Azure AD, you have to check whether you have an office 365 tenant and your administrator user of office 365 tenant has the access permission on Azure AD. You can refer to Deep Dive into the Office 365 Unified API for step by step guide of integrating office 365 Unified API.

Furthermore, you can refer to Get started with Office 365 APIs powered by Microsoft Graph to create a PHP example.

Answer 3

I have really tried hard to import live outlook contacts. But after few days of R&D I have found https://dev.office.com/blogs/outlook-rest-api-v1-0-office-365-discovery-and-live-connect-api-deprecation which made me to switch on to microsoft graph.I have also tried with azure documentation and other stuff but I found it very much confusing but still I wasn't clear with it.So I have implemented the following in php which turned out to be luckily successful. Just follow the following steps: 1) Create your application in https://apps.dev.microsoft.com a) Generate a new password.Save the application id and the password with you. b) Add platform as web and add redirect url with https as only https can be used and http is not applicable. c) Check Live SDK Support under Advance options and save.

2) pass the scope in the url as contacts.read as we need the signed in user's contacts.

  $client_id="YOUR_CLIENT_ID";
 $redirect_uri = SiteUrl.'hotmail-contact';
             $url="https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
                    client_id=".$client_id."
                    &response_type=code
                    &redirect_uri=".$redirect_uri."
                    &response_mode=query
                    &scope=offline_access%20user.read%20mail.read%20contacts.read
                    &state=12345";

3) After successful authentication , it would return the auth code . Now after obtaining the code we get request for the token by curl post request at https://login.live.com/oauth20_token.srf with postfields as

  $fields=array(
      'code'=>  urlencode($auth_code),
      'client_id'=>  urlencode($client_id),
      'client_secret'=>  urlencode($client_secret),
      'redirect_uri'=>  urlencode($redirect_uri),
      'grant_type'=>  urlencode('authorization_code')
    );

4) To fetch the contacts

$url = ' https://graph.microsoft.com/v1.0/me/contacts ' we can even apply filters to them

Now request curl with paramaters url and token

  public function curl_use_token($url,$token) {

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
  //  curl_setopt($ch,CURLOPT_HTTPHEADER,array('HeaderName: HeaderValue'));
    curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization:Bearer '.$token));
  //  curl_setopt($ch, CURLOPT_HTTPHEADER, array("Authorization", "Bearer " + $token));
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);

    $data = curl_exec($ch);
    curl_close($ch);
    // print(gettype($data));
    // print($data);
    return $data;
  }

5) After getting the data , the data returned wont be in pure json format so we can extract only a json part from the data by applying regex and after decoding it we can use it. Thanks for reading