简体繁体 English

代表用户从守护程序订阅Office 365流通知

[英]Subscribe from daemon to Office 365 Streaming Notifications on behalf of a user

原文 2017-07-19 17:07:58 3 1 c#/ azure-active-directory/ office365api

From windows my service I need to be able to subscribe to event notifications in Office 365 meeting room calendars in my tenant. 从Windows我的服务中，我需要能够在租户中的Office 365会议室日历中订阅事件通知。 Because of security reasons, there is no way to use push notifications, thus using streaming notifications is only plausible (or polling, but that is the last resort). 由于安全原因，无法使用推送通知，因此使用流式通知仅是合理的（或轮询，但这是最后的手段）。 But as described on that page, the scope of the subscription can not be changed from current user 'me'. 但是，如该页面上所述，无法从当前用户“ me”更改订阅范围。 Thus I can not rely on application role assignments (which I can already use to poll the calendars of interest with Graph API). 因此，我不能依赖于应用程序角色分配（我已经可以使用它来通过Graph API轮询感兴趣的日历）。 Of course, I have user credentials for those meeting room accounts - but basic authentication is not supported for a while. 当然，我拥有这些会议室帐户的用户凭据-但是一段时间不支持基本身份验证。

The challenge: my service needs to act on behalf of the meeting room user(s) to subscribe and to receive notifications but from a daemon service, without user interaction. 挑战：我的服务需要代表会议室用户进行操作，以便从守护程序服务进行订阅和接收通知，而无需用户交互。 Practically it will have a management UI, but after adding a meeting room the admin will leave that UI and the service will need to work alone, renew the subscription, re-establish stream in case of server restart. 实际上，它将具有管理UI，但是在添加会议室后，管理员将离开该UI，并且该服务将需要单独工作，续订订阅，在服务器重新启动的情况下重新建立流。

I suppose, that the device profile is one option. 我想，设备配置文件是一种选择。

What approach/flow do you suggest? 您建议什么方法/流程？

1 个解决方案

I would say you have two options: 我会说您有两种选择：

You can use the OAuth client credentials grant supported by Azure AD, which allows a service to get access tokens by simply presenting its client ID & client secret (no user creds required). 您可以使用Azure AD支持的OAuth客户端凭据授予，它允许服务仅显示其客户端ID和客户端机密即可获得访问令牌（无需用户凭据）。 In order to grant this service the authorization to access the calendar of the meeting room, you would have to get the administrator of the tenant to consent to your service one time. 为了授予此服务访问会议室日历的权限，您必须让租户的管理员一次同意您的服务。 The instructions for getting this consent & getting tokens are described in this article . 本文介绍了获得此同意和获取令牌的说明。 You should be able to use the calendars.read application permission to subscribe to the notifications (though I haven't tried it myself). 您应该能够使用calendars.read应用程序权限来订阅通知（尽管我自己还没有尝试过）。
The other approach would be to have someone log into your service's management UI with the credentials of the meeting room, and grant consent for the service to access its calendar, using the normal OAuth authorization code grant and the calendars.read scope. 另一种方法是让某人使用会议室的凭据登录到服务的管理UI，并使用正常的OAuth授权代码授予和calendars.read范围授予服务访问其日历的同意。 Yes, this approach requires user interaction in the management console one time. 是的，此方法需要用户一次在管理控制台中进行交互。 But, your service will receive back a refresh token that will be long-lived, and can be used to acquire new access tokens without further user interaction. 但是，您的服务将收到一个长久的刷新令牌，可以用于获取新的访问令牌，而无需进一步的用户交互。 This refresh token is non-expiring by default, which may make it viable for your scenario. 默认情况下，此刷新令牌不会过期，这可能使其适合您的方案。 The refresh tokens lifetime can however be shortened by a tenant administrator, or can be revoked if someone intentionally disables/deletes your service's access. 但是，租户管理员可以缩短刷新令牌的寿命，或者如果有人故意禁用/删除您的服务访问权限，则可以撤销刷新令牌的寿命。

The device profile flow is pretty much the second option. 设备配置文件流程几乎是第二种选择。 It still requires the user to sign-in, and the service still acts on behalf of the user. 它仍然需要用户登录，并且该服务仍代表用户运行。 The only difference is how the user enters their credentials. 唯一的区别是用户输入凭据的方式。 It sounds like for your purposes, the regular OAuth authorization code flow will be more appropriate than the device profile flow (which is meant mostly for limited input devices). 听起来像是出于您的目的，常规的OAuth授权代码流将比设备配置文件流（这主要用于有限的输入设备）更合适。