我试图访问office 365 API,特别是Exchange API。
我正在尝试开发一个服务器/守护进程应用程序来轮询共享收件箱,因为我正在使用' client_credentials'使用OAuth 2.0授予类型。我已按照步骤在Azure Active Directory中生成应用程序,您可以从屏幕上看到应用程序具有的权限:http://gyazo.com/a2d614a690115f8a6b65de00f46b1599
最终我想开发一个Ruby应用程序来提取数据,但首先我要用cURL测试响应,这里是OAuth Token requrest:
curl -X POST https://login.windows.net/TENANT_KEY/oauth2/token \
-F redirect_uri=http://spreadyDaemon \
-F grant_type=client_credentials \
-F resource=https://outlook.office365.com/ \
-F client_id=XXXX \
-F client_secret=XXXX=
这会在解码时返回一个看起来像这样的JWT键:
标题
{
"x5t": "kriMPdmBvx68skT8-mPAB3BseeA",
"alg": "RS256",
"typ": "JWT"
}
权利要求
{
"ver": "1.0",
"aud": "https://outlook.office365.com/",
"iss": "https://sts.windows.net/TENANT_KEY/",
"oid": "17fa33ae-a0e9-4292-96ea-24ce8f11df21",
"idp": "https://sts.windows.net/TENANT_KEY/",
"appidacr": "1",
"exp": 1415986833,
"appid": "XXXX",
"tid": "e625eb3f-ef77-4c02-8010-c591d78b6c5f",
"iat": 1415982933,
"nbf": 1415982933,
"sub": "17fa33ae-a0e9-4292-96ea-24ce8f11df21"
}
然而,当我使用该令牌从Exchange API请求任何内容时,我得到401 Unauthorized,并将x-ms-diagnostics标头设置为:
x-ms-diagnostics: 2000001;reason="The token has invalid value 'roles' for the claim type ''.";error_category="invalid_token"
以下是完整的标题:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/8.0
request-id: d08d01a8-7213-4a13-a598-08362b4dfa70
Set-Cookie: ClientId=WDALDNO0CAIOOZDZWTA; expires=Sat, 14-Nov-2015 16:40:59 GMT; path=/; HttpOnly
X-CalculatedBETarget: am3pr01mb0662.eurprd01.prod.exchangelabs.com
x-ms-diagnostics: 2000001;reason="The token has invalid value 'roles' for the claim type ''.";error_category="invalid_token"
X-DiagInfo: AM3PR01MB0662
X-BEServer: AM3PR01MB0662
X-AspNet-Version: 4.0.30319
Set-Cookie: exchangecookie=6bf68da033684824af21af3b0cdea6e3; expires=Sat, 14-Nov-2015 16:40:59 GMT; path=/; HttpOnly
Set-Cookie: X-BackEndCookie2=OrganizationAnchor@Fitzdares.onmicrosoft.com=u56Lnp2ejJqBz82am8zJx8zSzcmey9LLyZrI0p6cmp3SycjLm8eazcjIy83IgbmWi4Wbno2ajNGQkZKWnI2QjJCZi9GckJKBzc/Oy9LOzdLOy6vOycXLz8XKxoGaio2PjZvPztGPjZCb0ZqHnJeekZiak56djNGckJI=; expires=Sun, 14-Dec-2014 16:40:59 GMT; path=/EWS; secure; HttpOnly
Set-Cookie: X-BackEndCookie=OrganizationAnchor@Fitzdares.onmicrosoft.com=u56Lnp2ejJqBz82am8zJx8zSzcmey9LLyZrI0p6cmp3SycjLm8eazcjIy83IgbmWi4Wbno2ajNGQkZKWnI2QjJCZi9GckJKBzc/Oy9LOzdLOy6vOycXLz8XKxg==; expires=Sun, 14-Dec-2014 16:40:59 GMT; path=/EWS; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: DB4PR02CA0026
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
Date: Fri, 14 Nov 2014 16:40:59 GMT
Content-Length: 0
我不确定我是否误解了某些文档或错过了某个步骤。然而,JWT缺少任何访问范围。我不确定如何向应用程序清单添加特定权限,如下所述:http://msdn.microsoft.com/en-us/office/office365/howto/application-manifest#AppManifest_ExchangeScopes
这就是清单的显示方式:
{
"allowActAsForAllClients": null,
"appId": "XXXX",
"appMetadata": {
"version": 0,
"data": []
},
"appRoles": [],
"availableToOtherTenants": false,
"displayName": "Fitzdares",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": "http://spreadyDaemon",
"identifierUris": [
"http://spreadyDaemon"
],
"keyCredentials": [],
"knownClientApplications": [],
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2016-11-14T16:30:45.0745603Z",
"keyId": "46cce171-ed65-4828-8af7-d02af950e44a",
"startDate": "2014-11-14T16:30:45.0745603Z",
"value": null
}
],
"publicClient": null,
"replyUrls": [
"http://spreadyDaemon"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
"type": "Scope"
},
{
"id": "185758ba-798d-4b72-9e54-429a413a2510",
"type": "Scope"
},
{
"id": "75767999-c7a8-481e-a6b4-19458e0b30a5",
"type": "Scope"
},
{
"id": "5eb43c10-865a-4259-960a-83946678f8dd",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
"type": "Scope"
},
{
"id": "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175",
"type": "Scope"
},
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"defaultPolicy": [],
"extensionProperties": [],
"objectType": "Application",
"objectId": "8af97a9f-74c7-499d-b29a-7fca6926d84e",
"deletionTimestamp": null,
"createdOnBehalfOf": null,
"createdObjects": [],
"manager": null,
"directReports": [],
"members": [],
"memberOf": [],
"owners": [],
"ownedObjects": []
}
非常感谢任何帮助!
答案 0 :(得分:1)
Venkat,
我怀疑问题在于您如何请求令牌。您正在使用Exchange Online不支持的grant_type=client_credentials(至少现在不支持)。 Exchange支持的唯一授权类型是authorization_code。请参阅Matthias在11/4上对此帖的评论:
http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx
杰森
答案 1 :(得分:-1)
感谢您提供详细信息!您的问题可能与this StackOverflow question中讨论的问题相同,取消选中“对用户邮箱具有完全访问权限”可能会解决您遇到的问题。
如果您有任何疑问或者即使取消此权限后您仍然被拒绝访问,请告知我们。
[更新]: Jason是对的 - 我们还不支持客户端凭据流。但是,我们非常接近提供此功能。因此,请在几周内继续关注博客,并宣布可以使用该博客并提供使用说明。
[更新] :现在可以使用对服务帐户的支持。有关详细信息,请参阅我们的blog announcement。