问题
I am adding oAuth authentication support to daemon application. In case of IMAP, application logs on to every mailbox by specifying userID/password. Office365 oAuth access requires application registration and uses Clients Credential Grant flow. In this case, application authenticates with Azure AD once and accesses every mailbox using oAuth token. This authentication flow requires significant changes of existing code base. I would like to access mailbox in logically same way as IMAP (specify user credentials for every mailbox). Office365 supports that authentication flow but it uses system browser where interactive user gives consent to access mailbox. My daemon application runs as headless service with no access to system browser. How to logon to users mailbox with users credential?
回答1:
OAuth 2.0 Resource Owner Password Credentials (ROPC) grant allows an application to sign in the user by directly handling their password.
An authorization request sample for your reference:
// Line breaks and spaces are for legibility only. This is a public client, so no secret is required.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername@myTenant.com
&password=SuperS3cret
&grant_type=password
Please note that there is a warning:
Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.
来源:https://stackoverflow.com/questions/61200589/how-to-log-on-to-user-mailbox-from-service-using-oauth-and-ms-graph-api