Microsoft Graph API 身份验证无需 CLI

huangapple
go评论52阅读模式
英文:

Microsoft Graph API authentication without the CLI

问题

From an environment where the Azure cli is not installed and cannot be installed, you can obtain an Auth token from a Service Principal to run queries like:

curl -X -H 'Authorization: Bearer <auth-token>' \
    https://graph.microsoft.com/beta/groups

Without the Azure CLI, you can try the following approach:

# -- attempt 1
# Obtain an access token with this request:
curl -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d 'grant_type=client_credentials&client_id=<azure-client-id>&resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&client_secret=<azure-client-secret>' \
    https://login.microsoftonline.com/<tenant-id>/oauth2/token

However, please note that this token may not be valid for the Microsoft Graph API.

英文:

From an environment where the Azure cli is and cannot be installed, how can I get an Auth token from a Service Principal? So I can run queries like:

curl -X -H &#39;Authorization: Bearer &lt;auth-token&gt;&#39; \
    https://graph.microsoft.com/beta/groups

With the CLI this is fairly simple, I have a tenant_id, an azure_client_id and an azure_client_secret:

az login --service-principal -u &lt;az_client_id&gt; -p &lt;az_client_secret&gt; --tenant &lt;tenant_id&gt;

and then run for example:

az rest --method get --url https://graph.microsoft.com/beta/groups

-- attempt 1

I do get an access token with request:

curl -X GET \
    -H &#39;Content-Type: application/x-www-form-urlencoded&#39; \
    -d &#39;grant_type=client_credentials&amp;client_id=&lt;azure-client-id&gt;&amp;resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&amp;client_secret=&lt;azure-client-secret&gt;&#39; \
    https://login.microsoftonline.com/&lt;tenant-id&gt;/oauth2/token

but is is apperantly not valid for the Microsoft graph API.

答案1

得分: 1

这段适用于我在Windows命令提示符下的工作:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&amp;client_id={client_id}&amp;client_secret={client_secret}&amp;scope=https%3A%2F%2Fgraph.microsoft.com%2F.default" https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

结果:

{
  "token_type":"Bearer",
  "expires_in":3599,
  "ext_expires_in":3599,
  "access_token":"eyJ0...LUEQ"
}

您遗漏了 scope=https://graph.microsoft.com/.default,请求URL应该是 https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token,方法应该是 POST

我用双引号代替单引号作为头部和正文参数。

资源:

无用户访问获取权限

英文:

This work for me from Windows Command Prompt:

curl -X POST -H &quot;Content-Type: application/x-www-form-urlencoded&quot; -d &quot;grant_type=client_credentials&amp;client_id={client_id}&amp;client_secret={client_secret}&amp;scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&quot; https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

Result:

{
  &quot;token_type&quot;:&quot;Bearer&quot;,
  &quot;expires_in&quot;:3599,
  &quot;ext_expires_in&quot;:3599,
  &quot;access_token&quot;:&quot;eyJ0...LUEQ&quot;
}

You are missing scope=https://graph.microsoft.com/.default, request URL should be https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token and method should be POST.

I used double quotes instead of single quote for header and body parameters.

Resources:

Get access without user

答案2

得分: 0

I agree with @user2250152, you are using wrong resource value to generate access token.

You can just change the value of resource parameter to https://graph.microsoft.com while generating access token like below:

curl -X GET \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d 'grant_type=client_credentials&client_id=<azure-client-id>&resource=https://graph.microsoft.com&client_secret=<azure-client-secret>' \
    https://login.microsoftonline.com/<tenant-id>/oauth2/token

When I ran the same in Postman, I got access token with Microsoft Graph as resource like below:

Microsoft Graph API 身份验证无需 CLI

Now, use below curl command to run Graph query by including above access token like this:

curl -X -H 'Authorization: Bearer <auth-token>' \
    https://graph.microsoft.com/beta/groups

When I ran the same query in Postman, I got groups successfully like below:

GET https://graph.microsoft.com/beta/groups
Authorization: Bearer <auth-token>

Response:

Microsoft Graph API 身份验证无需 CLI

英文:

I agree with @user2250152, you are using wrong resource value to generate access token.

You can just change the value of resource parameter to https://graph.microsoft.com while generating access token like below:

curl -X GET \
    -H &#39;Content-Type: application/x-www-form-urlencoded&#39; \
    -d &#39;grant_type=client_credentials&amp;client_id=&lt;azure-client-id&gt;&amp;resource=https://graph.microsoft.com&amp;client_secret=&lt;azure-client-secret&gt;&#39; \
    https://login.microsoftonline.com/<tenant-id>/oauth2/token

When I ran the same in Postman, I got access token with Microsoft Graph as resource like below:

Microsoft Graph API 身份验证无需 CLI

Now, use below curl command to run Graph query by including above access token like this:

curl -X -H &#39;Authorization: Bearer &lt;auth-token&gt;&#39; \
    https://graph.microsoft.com/beta/groups

When I ran same query in Postman, I got groups successfully like below:

GET https://graph.microsoft.com/beta/groups
Authorization: Bearer &lt;auth-token&gt;

Response:

Microsoft Graph API 身份验证无需 CLI

huangapple
  • 本文由 发表于 2023年4月19日 18:07:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/76053248.html
  • azure-cli
  • microsoft-graph-api
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定