使用相同的 AAD 令牌调用 SharePoint Online
[英]Call SharePoint Online with same AAD token
问题描述
I have a bot framework application which able to call Graph API.
我有一个能够调用 Graph API 的机器人框架应用程序。 There is an oauth authentication flow to login my user to bot application.有一个 oauth 身份验证流程可以将我的用户登录到机器人应用程序。 I can query Graph API like following requests:我可以像以下请求一样查询 Graph API:
https://graph.microsoft.com/v1.0/mehttps://graph.microsoft.com/v1.0/sites/xxxx.sharepoint.com:/sites/test:/lists/Test/items
I want to query SharePoint Online API with the same token that used to call Graph API .我想使用用于调用 Graph API 的相同令牌查询 SharePoint Online API 。 I gave necessary permissions in AAD application where located in Azure Portal.我在位于 Azure 门户的 AAD 应用程序中授予了必要的权限。 I wrote below code but I got a 401 Not Authorized exception from SPO API.我写了下面的代码,但我从 SPO API 收到了401 Not Authorized异常。 How can I call SPO API with the same token?如何使用相同的令牌调用 SPO API?
ClientContext context = TokenHelper.GetClientContextWithAccessToken("https://mytenant.sharepoint.com/sites/test/", _token);
SharePoint.Client.List testList = context.Web.Lists.GetByTitle("Test");
CamlQuery query = CamlQuery.CreateAllItemsQuery(100);
ListItemCollection items = testList.GetItems(query);
context.Load(items);
context.ExecuteQuery(); //Fires 401 error
1 个解决方案
解决方案1
1 2019-04-22 09:33:17
You can't and shouldn't use the access_token with Microsoft Graph as the audience to call SPO API.您不能也不应该将 access_token 与 Microsoft Graph 一起用作调用 SPO API 的受众。
Why:为什么:
In Azure AD access_token, it must contain "aud" claim.在 Azure AD access_token 中,它必须包含“aud”声明。
It identifies the intended recipient of the token.
它标识令牌的预期接收者。 In access tokens, the audience is resource app's Application ID or Identifier, assigned to your app in the Azure portal.在访问令牌中,受众是资源应用程序的应用程序 ID 或标识符,分配给 Azure 门户中的应用程序。 The resource app should validate this value and reject the token if the value does not match.资源应用程序应验证此值并在该值不匹配时拒绝该令牌。So, in the first access_token, its audience should be Microsoft Graph API, not SPO API.
所以,在第一个 access_token 中,它的受众应该是 Microsoft Graph API,而不是 SPO API。 When you tried to use access_token to call Microsoft Graph API, the "aud" claim should be validated.当您尝试使用 access_token 调用 Microsoft Graph API 时,应验证“aud”声明。 However, if you tried to use that access_token to call SPO API, the "aud" claim value won't be validated and SPO API will treat is as an invalid acc_token and give "401 unauthorized" response.但是,如果您尝试使用该 access_token 调用 SPO API,则不会验证“aud”声明值,SPO API 会将其视为无效的 acc_token 并给出“401 未授权”响应。
See more details about access_token in Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens在 Azure AD 中查看有关 access_token 的更多详细信息: https : //docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
More information:更多信息:
If you want to use SPO API, We need to use Office 365 Discovery service to find the correct service API endpoint first.如果要使用 SPO API,我们需要先使用Office 365 发现服务找到正确的服务 API 端点。 However, this is not supported by Microsoft anymore as Newly created apps does not have access to O365 discovery endpoint due to deprecation.但是,这不再受 Microsoft 支持,因为新创建的应用程序由于弃用而无权访问 O365 发现端点。
Currently, we recommend you use Microsoft Graph API instead.目前,我们建议您改用 Microsoft Graph API。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.