无法访问租户间的 OneDrive 存储
[英]Cannot access OneDrive storage for inter tenant
问题描述
I try to create an application, with which the user in another company/tenant could access his/her OneDrive storage.
我尝试创建一个应用程序,另一家公司/租户中的用户可以使用该应用程序访问他/她的 OneDrive 存储。 But failed.但失败了。 It's really appreciated that if anyone could tell me what or which steps I had made mistakes.真的很感激,如果有人能告诉我我犯了哪些错误或哪些步骤。
(I haded searched the posts and seems not the same issues reported here.) (我已经搜索了帖子,似乎与此处报告的问题不同。)
Detail as below: The user (user01@company.com), who is in Tenant X, wants to use the service/system (which is developed by Tenant Y) to access the files on his/her One Drive storage.详情如下:租户 X 中的用户 (user01@company.com) 想要使用服务/系统(由租户 Y 开发)访问他/她 One Drive 存储中的文件。
1.) Tenant Y had already got the Azure service and had subscribed Office 365 service (as the One Drive API need SPO license). 1.)租户 Y 已经获得 Azure 服务并订阅了 Office 365 服务(因为 One Drive API 需要 SPO 许可证)。
2.) With AAD in the Tenant Y, I added the user's email (use01@company.com) in the active directory (AAD) as a guest user, and the user had received the notification email and accept it. 2.)在租户 Y 中使用 AAD,我在活动目录 (AAD) 中添加了用户的 email (use01@company.com) 作为访客用户,并且用户已收到通知 email 并接受它。
3.) With AAD in the Tenant Y, I registered a new application, selected Accounts in any organizational directory option from Supported account types section, setup the redirect URI. 3.)在租户 Y 中使用 AAD,我注册了一个新应用程序,从支持的帐户类型部分选择任何组织目录选项中的帐户,设置重定向 URI。
4.) Added the delegated API privilege for Graph API (such as the Files.ReadWrite and Files.ReadWriteAll ), and approved the new added privileges request. 4.)为 Graph API 增加了委派的 API 权限(例如Files.ReadWrite和Files.ReadWriteAll ),并批准了新增加的权限请求。
5.) Created a new client secret for the application. 5.)为应用程序创建了一个新的客户端密码。
6.) With the tenant Id, client Id and client secret of the application, now I could start OAuth2 authentication flow for the user (user01@company.com). 6.)使用应用程序的租户 ID、客户端 ID 和客户端密码,现在我可以为用户 (user01@company.com) 启动 OAuth2 身份验证流程。 And finally, I got the access token for this user.最后,我得到了这个用户的访问令牌。
7.) With the access token, it's no problem to get the user's profile https://graph.microsoft.com/v1.0/me 7.)使用访问令牌,获取用户的个人资料https://graph.microsoft.com/v1.0/me没有问题
8.) It would complain 401 Unauthorized error for this request: https://graph.microsoft.com/v1.0/me/drive . 8.)它会抱怨这个请求的401 Unauthorized错误: https://graph.microsoft.com/v1.0/me/drive 。 (By the way, such request will be no problem for the user in the same Tenant Y) (顺便说一句,这样的请求对于同一个租户 Y 的用户来说是没有问题的)
Response as the following:响应如下:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: application/json
request-id: ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2
client-request-id: ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East Asia","Slice":"SliceC","Ring":"4","ScaleUnit":"002","RoleInstance":"AGSFE_IN_19"}}
Strict-Transport-Security: max-age=31536000
Date: Wed, 24 Jun 2020 07:13:00 GMT
Content-Length: 249
{
"error": {
"code": "accessDenied",
"message": "There has been an error authenticating the request.",
"innerError": {
"date": "2020-06-24T07:13:01",
"request-id": "ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2"
}
}
}
- edited: 07/02 ---------------------------------------编辑:07/02 ---------------------------
Appended the request to get the access token:附加请求以获取访问令牌:
1.) Use this GET request to get the authorization code: https://login.microsoftonline.com/{tenant-id-of-TenantY}/oauth2/v2.0/authorize?client_id={client-id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fpersonal%2Ftoken&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&prompt=consent&state=13570 1.) 使用此 GET 请求获取授权码: https://login.microsoftonline.com/{tenant-id-of-TenantY}/oauth2/v2.0/authorize?client_id={client-id}&response_type=代码&redirect_uri=http%3A%2F%2Flocalhost%2Fpersonal%2Ftoken&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&prompt=consent&state=13570
2.) User01@company.com sign in and approve the auth request, and the local http server would get the auth code. 2.) User01@company.com 登录并批准授权请求,本地 http 服务器将获得授权码。
3.) send POST request to: https://login.microsoftonline.com/{tenant-id-of-TenantY}/oauth2/v2.0/token , with the request parameters in body to get the access token, as the image in the link. 3.) 发送 POST 请求到: https://login.microsoftonline.com/{tenant-id-of-TenantY}/oauth2/v2.0/token ,请求参数在正文中获取访问令牌,作为链接中的图像。 screenshot of the POST request POST 请求的屏幕截图
4.) use the result access token to send target Graph API request. 4.) 使用结果访问令牌发送目标图 API 请求。 And the result would be as this image.结果将是这个图像。 Result of the /me/drive API /me/drive API 的结果
1 个解决方案
解决方案1
0 已采纳 2020-06-29 02:05:42
Adding use01@company.com as a guest user in Tenant Y is unnecessary.无需在租户 Y 中将 use01@company.com 添加为来宾用户。 Just make sure that it has SPO license in Tenant X.只需确保它在租户 X 中具有 SPO 许可证。
And before you call Microsoft Graph API for the user, construct the URL for granting tenant-wide admin consent to it.在为用户调用 Microsoft Graph API 之前,构建 URL 以授予租户范围的管理员同意。 See reference here .请参阅此处的参考。
https://login.microsoftonline.com/{tenant-id of Tenant X}/adminconsent?client_id={client-id of the Azure AD app in Tenant Y}
Log in with an admin in Tenant X to do the admin consent for Tenant X .在租户 X 中以管理员身份登录,以对租户X 进行管理员同意。 After that you could access OneDrive storage for the user in Tenant X.之后,您可以为租户 X 中的用户访问 OneDrive 存储。
Please note that you should call the /authorize and /token endpoints for Tenant X .请注意,您应该调用Tenant X的/authorize和/token端点。
https://login.microsoftonline.com/{tenant-id-of-TenantX}/oauth2/v2.0/authorize?client_id={client-id}&......
AND和
POST https://login.microsoftonline.com/{tenant-id-of-TenantX}/oauth2/v2.0/token
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.