[英]Proper OAuth2 authentication flow for a web API using the EWS Managed API
I've been reading through a bunch of documentation for using OAuth with Azure AD, but am still completely confused about how to properly implement things for my situation. 我一直在阅读一堆有关将OAuth与Azure AD一起使用的文档,但是对于如何正确实现我的情况仍然感到困惑。 Hopefully someone can steer me in the right direction. 希望有人可以指引我正确的方向。
I have created an ASP.NET Web API application that uses the EWS Managed API to access Exchange on behalf of different users. 我创建了一个ASP.NET Web API应用程序,该应用程序使用EWS托管API代表不同的用户访问Exchange。 My application exposes endpoints such as /Mailbox/Messages
and /Appointments
with the intent that some front end web application will eventually use them to retrieve a user's emails and appointments. 我的应用程序公开了端点,例如/Mailbox/Messages
和/Appointments
,目的是某些前端Web应用程序最终将使用它们来检索用户的电子邮件和约会。 Currently the endpoints are working using basic http authentication, but I'd like to update them to use OAuth. 目前,端点正在使用基本的http身份验证,但是我想将其更新为使用OAuth。 The application has been registered in my Azure AD instance and I've configured it to require the "Access mailboxes as the signed-in user via Exchange Web Services" API permission. 该应用程序已在我的Azure AD实例中注册,并且已将其配置为要求“通过Exchange Web Services以登录用户身份访问邮箱” API权限。
Since the front end hasn't been implemented yet, I've been trying to test by manually calling the authentication endpoint. 由于尚未实现前端,因此我一直在尝试通过手动调用身份验证终结点进行测试。 This prompts me to log in and provide consent. 这提示我登录并提供同意。 If I consent, I'm redirected to the callback URL that I provided when I registered the app with the authorization code contained in the query parameters. 如果我同意,我将重定向到使用查询参数中包含的授权代码注册应用程序时提供的回调URL。 I'm still not quite sure how I'm supposed to be using this callback, but for the sake of testing I currently have the callback redeem the authorization code for an access token. 我仍然不太确定应该如何使用此回调,但是为了进行测试,我目前使该回调赎回了访问令牌的授权代码。 This is done by calling the AcquireTokenByAuthorizationCode
method on an instance of the AuthenticationContext
class and providing my application's id and secret. 这是通过在AuthenticationContext
类的实例上调用AcquireTokenByAuthorizationCode
方法并提供我的应用程序的ID和密码来完成的。 Again, just for the sake of testing I return the access token to the browser. 同样,仅出于测试目的,我将访问令牌返回到浏览器。 I can then call my aforementioned endpoints (after some modifications) with this access token and get the emails for the user. 然后,我可以使用此访问令牌调用上述端点(经过一些修改),并获取该用户的电子邮件。 I'm guessing much of this is not the correct way to be doing things. 我猜这很多不是做事的正确方法。
Some of my points of confusion: 我的一些困惑点:
Being completely new to OAuth and Azure, I'm not sure if any other details are pertinent, but I can provide more information as needed. 对于OAuth和Azure来说是全新的,我不确定是否还有其他详细信息,但是我可以根据需要提供更多信息。
What you are implementing is this scenario: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#daemon-or-server-application-to-web-api 您正在实现的是这种情况: https : //docs.microsoft.com/zh-cn/azure/active-directory/active-directory-authentication-scenarios#daemon-or-server-application-to-web-api
Here's how it works: 运作方式如下:
And to answer your two questions: 并回答您的两个问题:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.