使用访问令牌的另一个用户 onedrive 文件
Another user onedrive files using access token
I'm userX. I need to access userY onedrive files from api and upload files.
When I send request for user token to https://login.microsoftonline.com/tenant/oauth2/token I got it.
POST token Request:
url: https://login.microsoftonline.com/tenant/oauth2/token
grant_type: password
username: userY
password: ***(my password)***
resource: ***(my resource)***
client_id: ***(my client id)***
client_secret: ***(my client secret)***
Response:
"token_type": "Bearer",
"scope": "AllSites.FullControl AllSites.Manage AllSites.Read AllSites.Write Calendars.Read Calendars.Read.Shared Calendars.ReadWrite Calendars.ReadWrite.Shared Contacts.Read Contacts.Read.Shared Contacts.ReadWrite Contacts.ReadWrite.Shared Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All email Files.Read Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All Files.ReadWrite.AppFolder Files.ReadWrite.Selected Group.Read.All Group.ReadWrite.All IdentityRiskEvent.Read.All Mail.Read Mail.Read.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared MailboxSettings.ReadWrite Member.Read.Hidden MyFiles.Read MyFiles.Write Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read profile Reports.Read.All Sites.Read.All Sites.ReadWrite.All Sites.Search.All Tasks.Read Tasks.Read.Shared Tasks.ReadWrite Tasks.ReadWrite.Shared TermStore.Read.All TermStore.ReadWrite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1485157695",
"not_before": "1485153795",
"resource": ***(my resource)***
"access_token": "***here is my access token***"
"refresh_token": "***here is my refresh token***"
I try to use this token:
First example (is not appropriate: Kevin explained below):
GET Request
url: https://api.office.com/discovery/v2.0/me/services
Header Authorization: Bearer ***here is my access token***
Response:
{
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": "Access denied. You do not have permission to perform this action or access this resource."
}
}
Second example:
GET Request
url: http://tenant.sharepoint.com/_api/search/query?querytext='*'
Header Authorization: Bearer ***here is my access token***
Response:
{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
Third example:
POST Request:
url: https://tenant-my.sharepoint.com/_api/v2.0
Header Authorization: Bearer ***here is my access token***
Response:
{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
The question is: why I can't use my access token? What I'm doing wrong?
Thanks
您的第一个示例是对发现服务的请求,如果您还不知道资源 ID,该服务通常用于发现资源 ID。此请求将需要使用 resourceId == 发现服务 URL 获取的令牌。从发现服务获得正确的资源 ID 后,您可以使用新的 resourceId 请求新的访问令牌。
"The question is: why I can't use my refresh token? What I'm doing wrong?":
刷新令牌不是进行 API 调用的有效令牌,为此您需要 access_token。刷新令牌用于在到期时获取新的访问令牌。
Solved!
The problem with my requests is "resource: ***(my resource)***".
If I want to access to resource I can't use app id or client id (in my case those two were the same).
Which resource I want - I need token for it. I should read from response for https://api.office.com/discovery/v2.0/me/services list of available resources
So
1. POST https://login.microsoftonline.com/tenant/oauth2/token with resource "https://api.office.com/discovery/"
2. GET https://api.office.com/discovery/v2.0/me/services with refresh_token from point 1
3. POST https://login.microsoftonline.com/tenant/oauth2/token with resource "https://tenant-my.sharepoint.com/" in my case
4. And use refresh token from point 3 e.g. GET https://tenant-my.sharepoint.com/_api/v2.0/me/drive/special/documents
I'm userX. I need to access userY onedrive files from api and upload files.
When I send request for user token to https://login.microsoftonline.com/tenant/oauth2/token I got it.
POST token Request:
url: https://login.microsoftonline.com/tenant/oauth2/token
grant_type: password
username: userY
password: ***(my password)***
resource: ***(my resource)***
client_id: ***(my client id)***
client_secret: ***(my client secret)***
Response:
"token_type": "Bearer",
"scope": "AllSites.FullControl AllSites.Manage AllSites.Read AllSites.Write Calendars.Read Calendars.Read.Shared Calendars.ReadWrite Calendars.ReadWrite.Shared Contacts.Read Contacts.Read.Shared Contacts.ReadWrite Contacts.ReadWrite.Shared Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All email Files.Read Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All Files.ReadWrite.AppFolder Files.ReadWrite.Selected Group.Read.All Group.ReadWrite.All IdentityRiskEvent.Read.All Mail.Read Mail.Read.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared MailboxSettings.ReadWrite Member.Read.Hidden MyFiles.Read MyFiles.Write Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read profile Reports.Read.All Sites.Read.All Sites.ReadWrite.All Sites.Search.All Tasks.Read Tasks.Read.Shared Tasks.ReadWrite Tasks.ReadWrite.Shared TermStore.Read.All TermStore.ReadWrite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1485157695",
"not_before": "1485153795",
"resource": ***(my resource)***
"access_token": "***here is my access token***"
"refresh_token": "***here is my refresh token***"
I try to use this token:
First example (is not appropriate: Kevin explained below):
GET Request
url: https://api.office.com/discovery/v2.0/me/services
Header Authorization: Bearer ***here is my access token***
Response:
{
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": "Access denied. You do not have permission to perform this action or access this resource."
}
}
Second example:
GET Request
url: http://tenant.sharepoint.com/_api/search/query?querytext='*'
Header Authorization: Bearer ***here is my access token***
Response:
{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
Third example:
POST Request:
url: https://tenant-my.sharepoint.com/_api/v2.0
Header Authorization: Bearer ***here is my access token***
Response:
{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
The question is: why I can't use my access token? What I'm doing wrong?
Thanks
您的第一个示例是对发现服务的请求,如果您还不知道资源 ID,该服务通常用于发现资源 ID。此请求将需要使用 resourceId == 发现服务 URL 获取的令牌。从发现服务获得正确的资源 ID 后,您可以使用新的 resourceId 请求新的访问令牌。
"The question is: why I can't use my refresh token? What I'm doing wrong?": 刷新令牌不是进行 API 调用的有效令牌,为此您需要 access_token。刷新令牌用于在到期时获取新的访问令牌。
Solved! The problem with my requests is "resource: ***(my resource)***". If I want to access to resource I can't use app id or client id (in my case those two were the same). Which resource I want - I need token for it. I should read from response for https://api.office.com/discovery/v2.0/me/services list of available resources So 1. POST https://login.microsoftonline.com/tenant/oauth2/token with resource "https://api.office.com/discovery/" 2. GET https://api.office.com/discovery/v2.0/me/services with refresh_token from point 1 3. POST https://login.microsoftonline.com/tenant/oauth2/token with resource "https://tenant-my.sharepoint.com/" in my case 4. And use refresh token from point 3 e.g. GET https://tenant-my.sharepoint.com/_api/v2.0/me/drive/special/documents