要获取 refreshtoken,Microsoft Graph 中的 accesstoken API
To get refreshtoken, accesstoken in Microsoft Graph API
我正在尝试在 Microsoft Graph API 中生成凭据(AccessToken、RefreshToken)。按照 this Documentation 成功生成 AccessToken。但是我正在努力获取刷新令牌。
步骤:
应用程序注册在 Azure Active Directory 中完成。
Client Secret也得到了
API 权限列表
根据 this Documentation,我按照其余步骤生成凭据。
- 下面提到的授权请求粘贴在 google URL 中并获得代码值。
请求:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=14edf196-xxxxxx
&response_type=code
&redirect_uri=https://oauth.pstmn.io/v1/browser-callback
&response_mode=query
&scope=offline_access%20Mail.Read%20Mail.ReadBasic%20Mail.ReadWrite%20Mail.Read.Shared%20Mail.ReadWrite.Shared%20Mail.Send%20Mail.Send.Shared%20MailboxSettings.Read%20MailboxSettings.ReadWrite%20IMAP.AccessAsUser.All%20POP.AccessAsUser.All%20SMTP.Send%20Files.Read%20Files.Read.All%20Files.ReadWrite%20Files.ReadWrite.All%20Files.ReadWrite.AppFolder%20Files.Read.Selected%20Files.ReadWrite.Selected%20User.Read%20User.ReadWrite%20User.ReadBasic.All%20User.Read.All%20User.ReadWrite.All%20User.Invite.All%20User.Export.All%20User.ManageIdentities.All
&state=12345
代码值:
0.ASUAYH3m5fSttECIPDUdwv7vTpbx7RSNwIhCtEISG2GkwQwlAMQ.AQABAAIAAADxxxxxxxxxxxxxxxxx
下一步是获取 AccessToken,对于在 Postman 中发出的这个 POST 请求,它在 Response
中给出 AccessToken
注意:当我在上面的请求中删除范围时,会收到访问令牌,否则我会得到错误回复,如
"error: invalid_grant Description:AADSTS70008: The provided authorization code or refresh token has expired due to inactivity. Send a new interactive authorization request for this user and resource.\r\nTrace ID: 98e82735-4764-496a-881b-9b78faf3f000\r\nCorrelation ID: 3d4a78b2-5a26-47af-ae14-cbb82c12a9ae\r\nTimestamp: 2021-06-14 12:57:01Z"
根据 OAuth2.0,我希望在生成 accesstoken 时不需要传递范围。
响应:
{
"token_type": "Bearer",
"scope": "email openid profile https://graph.microsoft.com/Files.Read https://graph.microsoft.com/Files.Read.All https://graph.microsoft.com/Files.Read.Selected https://graph.microsoft.com/Files.ReadWrite https://graph.microsoft.com/Files.ReadWrite.All https://graph.microsoft.com/Files.ReadWrite.AppFolder https://graph.microsoft.com/Files.ReadWrite.Selected https://graph.microsoft.com/IMAP.AccessAsUser.All https://graph.microsoft.com/Mail.Read https://graph.microsoft.com/Mail.Read.Shared https://graph.microsoft.com/Mail.ReadBasic https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/Mail.ReadWrite.Shared https://graph.microsoft.com/Mail.Send https://graph.microsoft.com/Mail.Send.Shared https://graph.microsoft.com/MailboxSettings.Read https://graph.microsoft.com/MailboxSettings.ReadWrite https://graph.microsoft.com/POP.AccessAsUser.All https://graph.microsoft.com/SMTP.Send https://graph.microsoft.com/User.Export.All https://graph.microsoft.com/User.Invite.All https://graph.microsoft.com/User.ManageIdentities.All https://graph.microsoft.com/User.Read https://graph.microsoft.com/User.Read.All https://graph.microsoft.com/User.ReadBasic.All https://graph.microsoft.com/User.ReadWrite https://graph.microsoft.com/User.ReadWrite.All",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJubxxxxxxxxxxxxx"
}
如果您在上面看到 json 响应来自邮递员,则缺少刷新令牌。
在按照 this
将 MS Outlook 操作集成到 WSO2 EI 中时需要此刷新令牌
请帮我弄到这个。或者我错过了哪一步?
我创建了另一个应用程序并给出了一组有限的范围,例如电子邮件 Mail.Read User.Read 配置文件 openid,它已传递给授权和令牌端点。现在我可以获得访问令牌、刷新令牌和 ID 令牌作为响应。
回复:
{
"token_type": "Bearer",
"scope": "email Mail.Read User.Read profile openid",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6ImZWTnhDbVBlZkRMd3g3eG5PbDZxNE5jWkNCV3lETGZJR3FoamU5QktGMDQiLCJhbGciOiJSUzI1NiIsIxxxx",
"refresh_token": "0.AXEAYH3m5fSttECIPDUdwv7vThdQk6TogBNEp2J4CzLY-WhxANs.AgABAAAAAAD--DLA3VO7QrddgJg7Wevxxxxx",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCHJPRFhFS9.eyJhdWQiOiJhNDkzxxxxxxx"
}
请使用范围为 - 'https://graph.microsoft.com/.default offline_access'
谢谢!
在我们明确地在范围中添加 offline_access 之前,并不总是添加 offline_access。之后它为我们提供了一个刷新令牌。
我正在尝试在 Microsoft Graph API 中生成凭据(AccessToken、RefreshToken)。按照 this Documentation 成功生成 AccessToken。但是我正在努力获取刷新令牌。
步骤:
应用程序注册在 Azure Active Directory 中完成。
Client Secret也得到了
API 权限列表
根据 this Documentation,我按照其余步骤生成凭据。
- 下面提到的授权请求粘贴在 google URL 中并获得代码值。
请求:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=14edf196-xxxxxx
&response_type=code
&redirect_uri=https://oauth.pstmn.io/v1/browser-callback
&response_mode=query
&scope=offline_access%20Mail.Read%20Mail.ReadBasic%20Mail.ReadWrite%20Mail.Read.Shared%20Mail.ReadWrite.Shared%20Mail.Send%20Mail.Send.Shared%20MailboxSettings.Read%20MailboxSettings.ReadWrite%20IMAP.AccessAsUser.All%20POP.AccessAsUser.All%20SMTP.Send%20Files.Read%20Files.Read.All%20Files.ReadWrite%20Files.ReadWrite.All%20Files.ReadWrite.AppFolder%20Files.Read.Selected%20Files.ReadWrite.Selected%20User.Read%20User.ReadWrite%20User.ReadBasic.All%20User.Read.All%20User.ReadWrite.All%20User.Invite.All%20User.Export.All%20User.ManageIdentities.All
&state=12345
代码值:
0.ASUAYH3m5fSttECIPDUdwv7vTpbx7RSNwIhCtEISG2GkwQwlAMQ.AQABAAIAAADxxxxxxxxxxxxxxxxx
下一步是获取 AccessToken,对于在 Postman 中发出的这个 POST 请求,它在 Response
中给出 AccessToken注意:当我在上面的请求中删除范围时,会收到访问令牌,否则我会得到错误回复,如
"error: invalid_grant Description:AADSTS70008: The provided authorization code or refresh token has expired due to inactivity. Send a new interactive authorization request for this user and resource.\r\nTrace ID: 98e82735-4764-496a-881b-9b78faf3f000\r\nCorrelation ID: 3d4a78b2-5a26-47af-ae14-cbb82c12a9ae\r\nTimestamp: 2021-06-14 12:57:01Z"
根据 OAuth2.0,我希望在生成 accesstoken 时不需要传递范围。
响应:
{
"token_type": "Bearer",
"scope": "email openid profile https://graph.microsoft.com/Files.Read https://graph.microsoft.com/Files.Read.All https://graph.microsoft.com/Files.Read.Selected https://graph.microsoft.com/Files.ReadWrite https://graph.microsoft.com/Files.ReadWrite.All https://graph.microsoft.com/Files.ReadWrite.AppFolder https://graph.microsoft.com/Files.ReadWrite.Selected https://graph.microsoft.com/IMAP.AccessAsUser.All https://graph.microsoft.com/Mail.Read https://graph.microsoft.com/Mail.Read.Shared https://graph.microsoft.com/Mail.ReadBasic https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/Mail.ReadWrite.Shared https://graph.microsoft.com/Mail.Send https://graph.microsoft.com/Mail.Send.Shared https://graph.microsoft.com/MailboxSettings.Read https://graph.microsoft.com/MailboxSettings.ReadWrite https://graph.microsoft.com/POP.AccessAsUser.All https://graph.microsoft.com/SMTP.Send https://graph.microsoft.com/User.Export.All https://graph.microsoft.com/User.Invite.All https://graph.microsoft.com/User.ManageIdentities.All https://graph.microsoft.com/User.Read https://graph.microsoft.com/User.Read.All https://graph.microsoft.com/User.ReadBasic.All https://graph.microsoft.com/User.ReadWrite https://graph.microsoft.com/User.ReadWrite.All",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJubxxxxxxxxxxxxx"
}
如果您在上面看到 json 响应来自邮递员,则缺少刷新令牌。
在按照 this
将 MS Outlook 操作集成到 WSO2 EI 中时需要此刷新令牌请帮我弄到这个。或者我错过了哪一步?
我创建了另一个应用程序并给出了一组有限的范围,例如电子邮件 Mail.Read User.Read 配置文件 openid,它已传递给授权和令牌端点。现在我可以获得访问令牌、刷新令牌和 ID 令牌作为响应。
回复:
{
"token_type": "Bearer",
"scope": "email Mail.Read User.Read profile openid",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6ImZWTnhDbVBlZkRMd3g3eG5PbDZxNE5jWkNCV3lETGZJR3FoamU5QktGMDQiLCJhbGciOiJSUzI1NiIsIxxxx",
"refresh_token": "0.AXEAYH3m5fSttECIPDUdwv7vThdQk6TogBNEp2J4CzLY-WhxANs.AgABAAAAAAD--DLA3VO7QrddgJg7Wevxxxxx",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCHJPRFhFS9.eyJhdWQiOiJhNDkzxxxxxxx"
}
请使用范围为 - 'https://graph.microsoft.com/.default offline_access'
谢谢!
offline_access 之前,并不总是添加 offline_access。之后它为我们提供了一个刷新令牌。