Microsoft Graph:我是否可以(重新)使用 AAD 转发的用户 Bearer Token 以便对 Graph API 进行“委托”调用?
[英]Microsoft Graph: Can I (re)use the user's Bearer Token forwarded by AAD in order to make "delegated" calls to the Graph API?
问题描述
I have developed SharePoint (online) SPFx Webpart (using TypeScript/JavaScript) that calls the Azure Function. Upon calling the Azure Function, the AzureAD forwarded some headers, such as:
我开发了调用 Azure Function 的 SharePoint(在线)SPFx Webpart(使用 TypeScript/JavaScript)。调用 Azure Function 后,AzureAD 转发了一些标头,例如:
..
authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNRO.........",
..
..
x-ms-client-principal: "eyJhdXRoX3R5cCI6ImFhZCIsImNsYWltcyI6W3sidHlwIjoiYXVkI..........",
x-ms-client-principal-id: "588301bd-048a-XXXX-XXXX-XXXX-XXXX",
x-ms-client-principal-idp: "aad",
x-ms-client-principal-name: "me@example.com",
..
So that I have access to those headers from the Azure Function App (point of view).这样我就可以从 Azure Function 应用程序访问这些标头(观点)。
Questions问题
What exactly is the above-mentioned
authorization (bearer)token for?上面提到的authorization (bearer)令牌到底是做什么用的?Is the above-mentioned
authorization (bearer)token a "delegated token"?上述authorization (bearer)令牌是“委托令牌”吗? Which would then be usable as the valid token of the "signed-in user" so that I'd be able to make "delegated" calls to Microsoft Graph.然后可以用作“登录用户”的有效令牌,以便我能够对 Microsoft Graph 进行“委托”调用。 Such as calling https://graph.microsoft.com/v1.0/me比如调用https://graph.microsoft.com/v1.0/meIf the q.2 answer is no, then which of those above-mentioned user tokens/principles (forwarded by AAD) can be used to make "delegated" calls to Microsoft Graph?
如果 q.2 的答案是否定的,那么上述哪些用户令牌/原则(由 AAD 转发)可用于对 Microsoft Graph 进行“委托”调用?If NONE of those AAD forwarded user tokens/principles can be used for "delegated" calls, does it mean that, the ONLY (ONLY) way to call Microsoft Graph API from the Azure Function is by "application permissions" approach?
如果这些 AAD 转发的用户令牌/原则中没有一个可用于“委托”调用,这是否意味着从 Azure Function 调用 Microsoft Graph API 的唯一(唯一)方法是通过“应用程序权限”方法?
Appreciate the helps on my confusions.感谢对我的困惑的帮助。
1 个解决方案
解决方案1
1 2023-01-20 10:32:23
Note that: The Bearer token can be used to call Microsoft Graph API if the token contains
audas Graph.audas Graph。
I agree with juunas , that the token you are passing is ID token and cannot be used to call API.我同意juunas的观点,您传递的令牌是 ID 令牌,不能用于调用 API。
To call Microsoft Graph API, you need to retrieve the access token generated and check if the aud and scp value.要调用 Microsoft Graph API,您需要检索生成的访问令牌并检查aud和scp值。
For sample I generated the access token and when decoded it the aud and scp value is like below:例如,我生成了访问令牌,解码后的aud和scp值如下所示:
By using the access token, I am able to get the signed-in user details successfully like below:通过使用访问令牌,我能够成功获取登录用户的详细信息,如下所示:
https://graph.microsoft.com/v1.0/me
To make delegated calls to Microsoft Graph API, make sure to retrieve access token and try.要对 Microsoft Graph API 进行委托调用,请确保检索访问令牌并尝试。
References:参考:
SPFx: Calling Microsoft Graph API from an AAD secured Azure Function on behalf of a user by Vardhaman Deshpande SPFx:从 AAD 调用 Microsoft Graph API 由 Vardhaman Deshpande 代表用户保护 Azure Function
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.