如何为Microsoft Graph刷新令牌

Question

我正在使用以下方法连接到Microsoft Graph：

public GraphServiceClient GetAuthenticatedClient(string token)
{
    GraphServiceClient graphClient = new GraphServiceClient(
        new DelegateAuthenticationProvider(
            async (requestMessage) =>
            {
                // Append the access token to the request.
                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", token);
            }));
    return graphClient;
}

我正在服务器上运行此代码。我正在使用的令牌是由外部应用发送给我的。

在第一个小时中一切正常，然后令牌过期。

我的问题是：由于我也可以使用刷新令牌，因此如何获得新令牌？

Answer 1

启用刷新令牌需要两个步骤：

1. 您需要请求范围offline_access。这告诉端点在refresh_token和相关的元数据旁边提供access_token。

2. 您需要通过将相同的access_token重复到refresh_token来请求新的POST（和/common/oauth2/v2.0/token，它们的主体略有不同）- grant_type设置为refresh_token，而不是code，而是提供了refresh_token属性和值：

   https://login.microsoftonline.com/common/oauth2/v2.0/token
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=refresh_token&
   refresh_token=[REFRESH TOKEN]&
   client_id=[APPLICATION ID]&
   client_secret=[PASSWORD]&
   scope=[SCOPE]&
   redirect_uri=[REDIRECT URI]
   

前一段时间，我写了一个节目primer on the v2 Endpoint，您可能也会觉得有帮助。

Answer 2

有一种方法可以执行此操作，但是仅建议从ADAL.NET 2.x到MSAL.NET 2.x的迁移方案中进行概述，此处概述： https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal

仅用于客户端凭据（不是身份验证代码）。

Answer 3

当我没有refreshToken时，这对我有帮助 https://docs.microsoft.com/en-gb/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

POST /oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline.com 
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer  
&client_id=2846f71b-a7a4-4987-bab3-760f389 
&client_secret=BYyVnAt56JpLwUcyo47XODd 
&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs...pa970UvdVfQ 
&scope=https://graph.microsoft.com/user.read+offline_access 
&requested_token_use=on_behalf_of

样本响应：

{
    "token_type": "Bearer",
    "scope": "User.Read Mail.Read Mail.Send Calendars.Read",
    "expires_in": 3600,
    "ext_expires_in": 3600,
    "access_token": "EwCAA8l6BAAUO9chh8cJscQLmU+LSWpbnr0v...ZgNcrJkgI=",
    "refresh_token": "MCS3KUzqyCY6rQH*NXLSLQctqj47w...x3Oa4r"
}

Answer 4

下面的shell-scirpt为我工作，使用MS-Graph / Azure-AD的refresh_token更新access_token

# SCRIPT BEGINS FROM HERE #
echo "SCRIPT EXECUTION BEGINS"
echo " "
echo "Script to  request new access token and refresh token from refresh token of MS-Graph apis"
echo " "
echo "You can also follow this links for reference" 
echo "https://www.youtube.com/watch?v=FTULjLL-ZDI"   
echo "https://dzone.com/articles/getting-access-token-for-microsoft-graph-using-oau-1" 
echo " "
echo "If don't know your Azure-AD-Tenant-Name then just follow this below link to get it"
echo "https://helpdesk.kaseya.com/hc/en-gb/articles/115002521251-How-Do-I-Find-My-Azure-AD-Tenant-Name-"
echo " "
read -p "Enter your Tenant name : " tenant
echo "Tenant named your entered is: $tenant "

echo " "
read -p "Enter your client_id: " client_id
echo "Client_id you entered is: $client_id"

echo " "
read -p "Enter your client_secret: " client_secret
echo "Client_secret you entered is: $client_secret"

echo " "
read -p "Enter your redirect_uri (eg. http://localhost): " redirect_uri
echo "redirect_uri you entered is: $redirect_uri"

echo " "
echo "Enter the refresh_token value you haved copied from postman"
read -p "Enter your refresh token: " refresh_token
echo " "
echo "Refresh_token: " $refresh_token


authorization_endpoint=$(curl -s  "https://login.microsoftonline.com/${tenant}/v2.0/.well-known/openid-configuration" | jq -r '.authorization_endpoint')
token_endpoint=$(curl -s  "https://login.microsoftonline.com/${tenant}/v2.0/.well-known/openid-configuration" | jq -r '.token_endpoint')

echo " "
echo "Authorize endpoint of your tenant is"
echo "$authorization_endpoint"

echo " "
echo "Token endpoint of your tenant is"

echo "$token_endpoint"


#token=$(curl -H "Content-Type: application/application/x-www-form-urlencoded" -X POST "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"   --data-urlencode 'client_id=63bf591a-e1c' --data-urlencode 'client_secret=WUR-AH-7ML1fSHT_oH6HVVA8Jd' --data-urlencode 'redirect_uri=http://localhost'  --data-urlencode 'grant_type=refresh_token' --data-urlencode 'refresh_token=$refresh_token' --data-urlencode 'scope=https://graph.microsoft.com/.default' --data-urlencode 'tenant=$tenant' )

#token=$(curl -s -X POST "$token_endpoint" --header "Content-Type: application/x-www-form-urlencoded" --data-urlencode "client_id=45789-87a3-cbb1d1076b3b" --data-urlencode "client_secret=_oH6HVVA8Jd5p9OCa-S" --data-urlencode "redirect_uri=http://localhost" --data-urlencode "grant_type=refresh_token" --data-urlencode "refresh_token=$refresh_token" --data-urlencode "scope=openid profile offline_access  https://graph.microsoft.com" --data-urlencode "tenant=$tenant" | jq .access_token)

token=$(curl -s -X POST "$token_endpoint" --header "Content-Type: application/x-www-form-urlencoded" --data-urlencode "client_id=$client_id" --data-urlencode "client_secret=$client_secret" --data-urlencode "redirect_uri=$redirect_uri" --data-urlencode "grant_type=refresh_token" --data-urlencode "refresh_token=$refresh_token" --data-urlencode "scope=openid profile offline_access https://graph.microsoft.com/.default" --data-urlencode "tenant=$tenant" | jq .access_token)
echo " "
echo "Your renewed access token is:"
echo " "
echo "$token"
echo " "
echo "SCRIPT ENDS"

# SCRIPT ENDS HERE

Answer 5

构造此问题的正确方法是拥有外部应用程序，该应用程序为您提供了访问令牌，以便定期向您发送新的未过期的访问令牌。您应该能够使用该访问令牌对Microsoft Graph执行必要的操作。如果外部客户端应用程序正在发出服务请求，则应在您可能使用的每个请求中嵌入有效的未过期访问令牌。

不应将刷新令牌传递给其他应用程序。这样做会打开一个安全漏洞。理想情况下，您的外部应用程序应该停止发送刷新令牌。

另一个选择是将您的应用程序作为注册客户端添加到Microsoft Graph，然后直接对其进行身份验证。然后，您可以交换自己的刷新令牌，以在新令牌到期时获取新令牌。