[英]How to properly register and access Office 365 Graph API for OAuth2 (using omniauth from Ruby)?
I'm trying to access the Office 365 (Graph API) from our Ruby on Rails application (specifically, the Calendar Read API). 我正在尝试从我们的Ruby on Rails应用程序(特别是Calendar Read API)访问Office 365(Graph API)。 We're using omniauth for our OAuth2 flows and as such, we have also tried to access the Graph API using the omniauth-office365 and the omniauth-microsoft-office365 gem.
我们在OAuth2流程中使用omniauth,因此,我们也尝试使用omniauth-office365和omniauth-microsoft-office365 gem访问Graph API。 But I haven't been able to get an access token with neither of these gems so far.
但到目前为止,我还没有能够获得这些宝石的访问令牌。
I have registered our app in the Application Registration Portal , but any time I wanted to get Calendars.Read permission (using scope "profile https://graph.microsoft.com/calendar.read "), I always get the error AADSTS65005: The client application has requested access to resource 'https://graph.windows.net/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list
我已经在应用程序注册门户中注册了我们的应用程序 ,但是
AADSTS65005: The client application has requested access to resource 'https://graph.windows.net/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list
我想获得Calendars.Read权限(使用范围“profile https://graph.microsoft.com/calendar.read ”),我总是会收到错误AADSTS65005: The client application has requested access to resource 'https://graph.windows.net/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list
AADSTS65005: The client application has requested access to resource 'https://graph.windows.net/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list
. AADSTS65005: The client application has requested access to resource 'https://graph.windows.net/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list
。 Reading more articles about this, I got the impression that I need to actually go through Azure AD, so I signed up for that. 阅读更多关于此的文章,我得到的印象是我需要实际通过Azure AD,所以我注册了。 But then it seems I have to register a completely new web application in the Azure dashboard that has no link to the previously created application.
但是,似乎我必须在Azure仪表板中注册一个全新的Web应用程序,该应用程序没有链接到先前创建的应用程序。 I gave it a try, but that only results in a
AADSTS70002: Error validating credentials. AADSTS50011: The reply address 'https://example.com/auth/office365/callback?code=AQABA...a_very_long_string&session_state=e1029a3b-f6a5-4e7a-940e-18a21ee4c44f' does not match the reply address 'https://example.com/auth/office365/callback' provided when requesting Authorization code.
我试了一下,但这只会导致
AADSTS70002: Error validating credentials. AADSTS50011: The reply address 'https://example.com/auth/office365/callback?code=AQABA...a_very_long_string&session_state=e1029a3b-f6a5-4e7a-940e-18a21ee4c44f' does not match the reply address 'https://example.com/auth/office365/callback' provided when requesting Authorization code.
AADSTS70002: Error validating credentials. AADSTS50011: The reply address 'https://example.com/auth/office365/callback?code=AQABA...a_very_long_string&session_state=e1029a3b-f6a5-4e7a-940e-18a21ee4c44f' does not match the reply address 'https://example.com/auth/office365/callback' provided when requesting Authorization code.
error. 错误。
I'm at the point where I'm completely confused. 我正处于完全困惑的地步。 What is the right way to go about this and to get this to work?
什么是正确的方法来实现这一目标? It cannot really be that I need to go through Azure AD, right?
我不一定需要通过Azure AD,对吗? What is the whole point of the Application Registration Portal then?
那么应用程序注册门户的重点是什么? It would be great if anyone could shed some light...
如果有人能说清楚的话会很棒......
Thanks, Pascal 谢谢,帕斯卡尔
The relationship between the Office 365 API and Azure AD is that Azure AD acts as an authorization server and the Office 365 API is a Resource Server registered with Azure AD. Office 365 API与Azure AD之间的关系是Azure AD充当授权服务器,而Office 365 API是在Azure AD中注册的资源服务器。
Follow these steps to get your app working 请按照以下步骤操作您的应用
you might find this SO thread interesting. 你可能会发现这个SO线程很有趣。 Also a working example of Accessing graph API in Rails here
在Rails的访问图形API的另外一个工作示例这里
Ok, after much fiddling around, I finally got a grip on things. 好吧,经过多次摆弄,我终于掌握了一切。 And it doesn't help that there are so many different ways of accessing the different API's, each carrying their specific version, and each with their whole slew of outdated "this is how you do it" articles.
它没有帮助,还有访问不同的API,各持其特定版本的很多不同的方式,并各有其整体过时摆“这是你怎么做”的文章。
Let me summarize how I got everything to work and lessons learned. 让我总结一下我如何将一切工作和经验教训。
https://outlook.office.com/
, whereas all examples refer to base https://graph.microsoft.com
. https://outlook.office.com/
的资源,而所有示例都引用了基础https://graph.microsoft.com
。 Switching to the microsoft_v2_auth gem included in this Ruby sample got me further. AADSTS65005
seemed to have to do with the exact "wording" of the scopes. AADSTS65005
似乎与范围的确切“措辞”有关。 I've seen wordings like :scope => 'openid email profile offline_access https://graph.microsoft.com/calendar.read'
, but the correct wording is :scope => 'openid email profile offline_access https://graph.microsoft.com/Calendars.Read'
(so plural Calendars and Pascal case). :scope => 'openid email profile offline_access https://graph.microsoft.com/calendar.read'
,但正确的措辞是:scope => 'openid email profile offline_access https://graph.microsoft.com/Calendars.Read'
(所以复数日历和Pascal案例)。 This seemed to solve the problem for me. "Insufficient privileges to complete the operation."
"Insufficient privileges to complete the operation."
occured after a succesful callback with an access token, but right when the gem wanted to get extra profile information from the /v1.0/me
API. /v1.0/me
API获取额外的配置文件信息时。 Only after I added https://graph.microsoft.com/User.Read
to the scope in my Ruby application, as well as User.Read
grant in the application registration, the gem seemed to have the permissions it needed and the error went away. https://graph.microsoft.com/User.Read
添加到我的Ruby应用程序中的范围以及应用程序注册中的User.Read
授权之后,gem似乎才具有所需的权限并且错误已经发生远。 NOTE! Microsoft access tokens expire within one hour, so you will need to refresh your access token often, using a refresh token. Microsoft访问令牌将在一小时内过期,因此您需要使用刷新令牌经常刷新访问令牌。 You get a refresh token with your initial authorization request, only if you include
offline_access
in your scope (see point 4). 只有在范围中包含
offline_access
,才会获得具有初始授权请求的刷新令牌(请参阅第4点)。 Then you can use the following type of code: 然后您可以使用以下类型的代码:
oauth = OmniAuth::Strategies::MicrosoftV2Auth.new( nil, ENV['OFFICE365_KEY'], ENV['OFFICE365_SECRET'] ) token = OAuth2::AccessToken.new( oauth.client, @access_token, { refresh_token: @refresh_token } ) new_token = token.refresh! @access_token = new_token.token if new_token.token
Also, when testing this it is invaluable to revoke the access token you've acquired during earlier tests. 此外,在测试时,撤销您在早期测试中获得的访问令牌是非常宝贵的。 This can be done at myapps.microsoft.com .
这可以在myapps.microsoft.com上完成。
I've also run into CSRF errors in this process, in which case you need to clear your cache. 我也在这个过程中遇到CSRF错误,在这种情况下你需要清除你的缓存。
If I find anything else of interest, I'll add it here, in the hopes that noone will have to wander long in these murky API forests. 如果我发现其他任何有趣的东西,我会在这里添加它,希望没有人会在这些阴暗的API森林中长时间徘徊。 :(
:(
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.