发表新帖
发表新帖

Accessing Microsoft Graph API without using login page

后端 未结
关注
4 1844
闹比i
闹比i 2020-12-10 11:44

I would like to access a user\'s one drive to upload a document or retrieve a document using Graph API. I\'ve seen multiple examples over the net which requires using the st

相关标签:
4条回答
  • 抹茶落季
    2020-12-10 11:59

    I've found the documentation is not helpful, especially in terms of trying to acces the Graph API in the application context. But, I managed to get the access token in the context of the application here:

    private static async Task<string> AcquireToken()
{
    var tenant = "yourtenant.onmicrosoft.com";
    var resource = "https://graph.microsoft.com/";
    var instance = "https://login.microsoftonline.com/";
    var clientID = "YourappID";
    var secret = "YourAppSecret";
    var authority = $"{instance}{tenant}";
    var authContext = new AuthenticationContext(authority);
    var credentials = new ClientCredential(clientID, secret);
    var authResult = await authContext.AcquireTokenAsync(resource, credentials);
    return authResult.AccessToken;
}
    0 讨论(0)
  • 隐瞒了意图╮
    2020-12-10 12:06

    Although this is possible, it's strongly recommended not to do this for individual user access. The Microsoft Graph only supports OAUTH 2.0 as its authZ protocol, and we recommend that you use the flows within OAUTH where the trusted authority be the one to directly handle login credentials. Allowing application code to provide the forms UI for login credentials would open up the attack vector where your app would have direct access to the user's O365 password, which is not a secure approach.

    0 讨论(0)
  • 不思量自难忘°
    2020-12-10 12:10

    Yes this is possible. Essentially you grant access application access to Graph API instead of a user.

    The documentation for such access is here:

    https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

    You'll still need to a request a bearer token to send with all your REST requests, but the bearer token will be for the application itself and not a user.

    I set this up for one of my applications using the Graph SDK for .NET, so if you need specific examples for Graph SDK for .NET let me know.

    0 讨论(0)
  • 情书的邮戳
    2020-12-10 12:12

    Yes, it is possible if you have the right information - all you need to do is to get a delegated access token.

    Explanation:

    When dealing with access to resources, Microsoft Graph has two levels of access token requirements:

    • Most methods support Application only tokens, meaning once an OAuth app has consent it can access the resource whenever it wants.
    • But for some methods, it is not enough (they are too sensitive for an automated process) and require a Delegated token, meaning token which contains both a valid Client and User. You can see in each method documentation which token it requires.

    Normally delegated access tokens are the result of the two major OAuth flows which require user interaction (Authorization Code Grant and Implicit Grant) but you can also get them from two other flows: Resource Owner Credentials Grant and On-Behalf-Of Grant, which are both supported by Microsoft.

    For a full guide on how to setup everything you need in order to use those flows (including Postman examples) you can look at my article:

    Getting Access Token for Microsoft Graph Using OAuth REST API

    0 讨论(0)
 看不清?
提交回复
热议问题