通过另一个休息服务调用 microsoft graph api
[英]calling microsoft graph api via another rest service
问题描述
Good day!
再会!
We need a calendar facility for the project that we're working in right now.我们需要为我们现在正在进行的项目提供一个日历工具。 For some reason, we are limited to using the Office 365 calendar or the outlook calendar.出于某种原因,我们仅限于使用 Office 365 日历或 Outlook 日历。 We stumbled upon the Microsoft Graph APIs which seems to be the right tool to fulfill what we want to do.我们偶然发现了 Microsoft Graph API,它似乎是实现我们想要做的事情的正确工具。 So the idea is to create a Microsoft account which will be used as the main calendar where our wrapper(wrap the microsoft graph API calls) API can pull events from and eventually disseminate to client requests.因此,我们的想法是创建一个 Microsoft 帐户,该帐户将用作主日历,我们的包装器(包装 Microsoft 图形 API 调用)API 可以从中提取事件并最终传播到客户端请求。
So here is what we've done so far:所以这是我们到目前为止所做的:
- Created a Microsoft account with the domain of @outlook.com创建了一个域为@outlook.com 的 Microsoft 帐户
- Plotted some calendar events using the said Microsoft account使用上述 Microsoft 帐户绘制了一些日历事件
- Tried to follow this guide from the Microsoft site.尝试遵循 Microsoft 站点上的本 指南。
We agreed to create a wrapper API which will call the Microsoft Graph APIs but before this we tried to access the said APIs via postman.我们同意创建一个包装 API,它将调用 Microsoft Graph API,但在此之前,我们尝试通过邮递员访问所述 API。 The problem is that postman cannot get any response from the endpoint of the /authorize API which is need to gain an access token to finally call the respective Microsoft graph APIs.问题是邮递员无法从 /authorize API 的端点获得任何响应,这需要获得访问令牌才能最终调用相应的 Microsoft 图形 API。
Now we do not know if we are trying to attack this wrongly or whatever.现在我们不知道我们是否试图错误地攻击它或其他什么。 Do you have any idea what we are missing here?你知道我们在这里缺少什么吗? Thanks in advance and I hope someone can shed light in this matter.提前致谢,我希望有人能阐明这件事。
UPDATE:更新:
We were able to have some progress.我们能够取得一些进展。 After some time, we bumped in the azure active directory portal.一段时间后,我们遇到了天蓝色的活动目录门户。 We are now able to get an access token using this URL.我们现在可以使用此 URL 获取访问令牌。
https://login.microsoftonline.com/<directory-id>/oauth2/token
Now when we are accessing the actual MS Graph API endpoint that we are supposed to call, we are receiving a 401 Unauthorized response even though we are using the obtained token from the previous API call.现在,当我们访问我们应该调用的实际 MS Graph API 端点时,即使我们使用从前一个 API 调用中获取的令牌,我们也会收到401 Unauthorized响应。 This is the URL that we are trying to get a response:这是我们试图获得响应的 URL:
https://graph.microsoft.com/v1.0/me/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000
This is all being done via postman first.这一切都是首先通过邮递员完成的。
UPDATE:更新:
We tried to grant every permission possible in the Azure Active Directory portal and confirmed the consent at我们尝试在 Azure Active Directory 门户中授予所有可能的权限,并在以下位置确认同意
https://login.microsoftonline.com/<domain>.onmicrosoft.com/adminconsent?client_id=<client-id>
but unfortunately we're still hitting the 401 Unauthorized wall.但不幸的是,我们仍然遇到了 401 Unauthorized 墙。 In Microsoft Graph Explorer, everything is working fine.在 Microsoft Graph Explorer 中,一切正常。 So what could be missing in our postman implementation that MS Graph Explorer is doing implicitly?那么,MS Graph Explorer 隐式执行的邮递员实现中可能缺少什么? Thanks in advance for any help!在此先感谢您的帮助!
UPDATE更新
After further reading, we've found out some important details.进一步阅读后,我们发现了一些重要的细节。 First, we've found out that there are two sets of APIs from Microsoft.首先,我们发现 Microsoft 有两套 API。 One is the Azure Active Directory API and the other is the Microsoft Graph API.一个是 Azure Active Directory API,另一个是 Microsoft Graph API。 Both APIs use the same URL to get access tokens by using client credentials.两个 API 都使用相同的 URL 通过客户端凭据获取访问令牌。 Below is the URL:以下是网址:
https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/token
Substitute the with your personal data from azure portal.用来自 azure 门户的个人数据替换 。 Using this URL to get an access token, you need to supply some data in the request body.使用此 URL 获取访问令牌,您需要在请求正文中提供一些数据。
- client_id - client id of registered application in azure portal client_id - azure 门户中已注册应用程序的客户端 ID
- client_secret - secret key of registered application in azure portal client_secret - azure 门户中已注册应用程序的密钥
- grant_type - 'client_credentials' --> meaning you'll get an access token by using client credentials grant_type - 'client_credentials' --> 意味着您将通过使用客户端凭据获得访问令牌
- scope - ' https://graph.microsoft.com/.default ' or ' https://graph.windows.net/.default ' --> this controls which API are you going to access.范围 - ' https://graph.microsoft.com/.default ' 或 ' https://graph.windows.net/.default ' --> 这控制您要访问的 API。 The first one is to access Microsoft Graph API and the other is to access Azure Active Directory API.第一个是访问 Microsoft Graph API,另一个是访问 Azure Active Directory API。
We are now able to get an access token and use it to access the actual API that we need.我们现在可以获取访问令牌并使用它来访问我们需要的实际 API。 Below is the URL of the said API:以下是上述 API 的 URL:
https://graph.microsoft.com/v1.0/users/<azure-tenant-name>.onmicrosoft.com/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000
Notice that the URL does not use /me because upon reading using it required a signed in user.请注意,该 URL 不使用/me因为在阅读时使用它需要登录用户。 Unfortunately we are still getting the 401 Unauthorized error but the errors did change now.不幸的是,我们仍然收到 401 Unauthorized 错误,但现在错误确实发生了变化。 We are getting to errors intermittently.我们间歇性地遇到错误。 Sometimes the API call would return one or the other alternately.有时 API 调用会交替返回一个或另一个。 Below are the return of the API calls.以下是 API 调用的返回。
{
"error": {
"code": "InvalidTenant",
"message": "The tenant for tenant guid '<directory-id-goes-here>' does not exist.",
"innerError": {
"request-id": "<some-request-id>",
"date": "2018-08-22T04:29:27"
}
}
}
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "<some-request-id>",
"date": "2018-08-22T04:54:11"
}
}
}
We feel we've moved a step forward.我们觉得我们已经向前迈进了一步。 We're still not getting what we need though.我们仍然没有得到我们需要的东西。 Now the mystery are these 2 API call responses.现在神秘的是这 2 个 API 调用响应。 What could be the reason of this?这可能是什么原因? Thanks in advance for anybody's help提前感谢任何人的帮助
UPDATE更新
Upon even further reading we've discovered that there are authentication flows to get an access token.进一步阅读后,我们发现存在获取访问令牌的身份验证流程。 Depending on the API that you want to call, some authentication flows will not work on it because they need more details and security to execute themselves.根据您要调用的 API,某些身份验证流将无法使用它,因为它们需要更多详细信息和安全性才能自行执行。 So we've tried:所以我们尝试过:
- Client Credential Grant客户凭据授予
- Resource Owner Credential Grant资源所有者凭据授予
- Authorize Code Grant授权代码授予
But still, unfortunately, we are still stuck in the previous error.但是,不幸的是,我们仍然停留在之前的错误中。 We are getting 401 Unauthorized and the response payload is either InvalidTenant or UnknownError .我们得到401 Unauthorized并且响应负载是InvalidTenant或UnknownError 。
1 个解决方案
解决方案1
1 2018-10-26 14:04:34
I just went through a similar problem yesterday, the 401 Unauthorized error.我昨天刚刚经历了一个类似的问题,401 未经授权的错误。
I was trying to access the calendar of an employee via Microsoft's Graph API, but I was receiving the same response as you.我试图通过 Microsoft 的 Graph API 访问员工的日历,但收到的回复与您相同。
Resquest:请求:
https://graph.microsoft.com/v1.0/users/employee-email/calendarview?startdatetime=2018-10-21T00:00:00Z&enddatetime=2018-10-27T23:59:59Z&$select=subject,categories,start,end,sensitivity
Response:回复:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "<request-id>",
"date": "<date>"
}
}
}
Then I decided to check if had the Office 365. He didn't.然后我决定检查是否有 Office 365。他没有。 I'm just a developer, so I ask the guys from infrastructure to install Office 365 on the empleyee's machine, or add him to an enterprice account, or something like that.我只是一名开发人员,所以我请基础设施部门的人在员工的机器上安装 Office 365,或者将他添加到企业帐户,或类似的东西。
After they finished, the requests to his calendar worked just fine :)他们完成后,对他的日历的请求工作得很好:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.