问题
We've implemented Authentication in a .Net Core 2.0 app using Microsoft Graph to authenticate against Azure AD.
That works fine and we were aiming to use Microsoft Graph for accessing Office 365 data.
Unfortunately, on deeper review, we've found that Tasks are currently unsupported via Microsoft Graph and must be instead accessed via the Outlook REST API.
Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.
I tried passing the Bearer Token retrieved via Microsoft Graph in the Outlook REST API headers but I get back an invalid token error.
I'm hoping that I'm simply doing something wrong and this is a valid approach.
Since MS Graph is the "unified" replacement for the Outlook REST API and others, can a Microsoft Graph token be used to access the Outlook REST API?
回答1:
Yes, this is correct behavior. Tokens are only valid for a particular "audience", which is indicated by the aud claim inside the token.
If you obtained a token for the Microsoft Graph API, then the aud parameter would be set to https://graph.microsoft.com. This doesn't match the Office 365 API endpoint (https://outlook.office.com or https://outlook.office365.com), so the token validation fails. You have two options here.
- Use the tasks APIs in Graph even though they are in beta.
- Make sure that you obtain a refresh token when you request your Graph token (by including the
offline_accessscope in your auth/token requests). Then use that refresh token to obtain a second token with the proper audience.
You can use the refresh token to request an Office 365 API-compatible token by qualifying your scopes in the refresh request. For example, if you requested a Graph token with Tasks.Read, you would qualify Tasks.Read in your refresh request as https://outlook.office.com/Tasks.Read.
回答2:
Just want to share how you can exchange Graph RefreshToken to a Outlook AccessToken using postman. (You can do this in whatever code language you wish)
First lets show how you use a RefreshToken to get a new Graph AccessToken:
Then use the Graph RefreshToken to get the new Outlook AccessToken:
Hope this might help some other people :)
来源:https://stackoverflow.com/questions/48525716/can-an-ms-graph-bearer-token-be-used-to-access-the-office-rest-api