英文:
scopes not working in microsoft graph API
问题
在我的Laravel应用中,我正在使用https://github.com/dcblogdev/laravel-microsoft-graph包来与M365登录。在config/msgraph.php文件中更改了范围后,它之前一直正常工作。默认文件如下所示:
<?php
return [
/*
* the clientId is set from the Microsoft portal to identify the application
* https://apps.dev.microsoft.com
*/
'clientId' => env('MSGRAPH_CLIENT_ID'),
/*
* set the application secret
*/
'clientSecret' => env('MSGRAPH_SECRET_ID'),
/*
* Set the url to trigger the oauth process this url should call return MsGraph::connect();
*/
'redirectUri' => env('MSGRAPH_OAUTH_URL'),
/*
* set the url to be redirected to once the token has been saved
*/
'msgraphLandingUri' => env('MSGRAPH_LANDING_URL'),
/*
set the tenant authorize URL
*/
'tenantUrlAuthorize' => env('MSGRAPH_TENANT_AUTHORIZE'),
/*
set the tenant token URL
*/
'tenantUrlAccessToken' => env('MSGRAPH_TENANT_TOKEN'),
/*
set the authorize URL
*/
'urlAuthorize' => 'https://login.microsoftonline.com/'.env('MSGRAPH_TENANT_ID', 'common').'/oauth2/v2.0/authorize',
/*
set the token URL
*/
'urlAccessToken' => 'https://login.microsoftonline.com/'.env('MSGRAPH_TENANT_ID', 'common').'/oauth2/v2.0/token',
/*
set the scopes to be used, Microsoft Graph API will accept up to 20 scopes
*/
'scopes' => 'offline_access openid calendars.readwrite contacts.readwrite files.readwrite mail.readwrite mail.send tasks.readwrite mailboxsettings.readwrite user.readwrite',
/*
The default timezone is set to Europe/London this option allows you to set your prefered timetime
*/
'preferTimezone' => env('MSGRAPH_PREFER_TIMEZONE', 'outlook.timezone="Europe/London"'),
/*
set the database connection
*/
'dbConnection' => env('MSGRAPH_DB_CONNECTION', 'mysql'),
];
我已更改范围如下:
'scopes' => 'AuditLog.Read.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All Directory.Read.All Directory.ReadWrite.All IdentityRiskyUser.Read.All Policy.Read.All RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read.All User.ReadWrite.All Exchange.ManageAsApp',
更改范围后,当我输入正确的邮箱和密码时,它仍然停留在登录页面,没有继续前进。
英文:
In my Laravel app, I am using https://github.com/dcblogdev/laravel-microsoft-graph package to Log in with M365. It was working fine till I changed the scopes in config/msgraph.php file. The default file is
<?PHP
return [
/*
* the clientId is set from the Microsoft portal to identify the application
* https://apps.dev.microsoft.com
*/
'clientId' => env('MSGRAPH_CLIENT_ID'),
/*
* set the application secret
*/
'clientSecret' => env('MSGRAPH_SECRET_ID'),
/*
* Set the url to trigger the oauth process this url should call return MsGraph::connect();
*/
'redirectUri' => env('MSGRAPH_OAUTH_URL'),
/*
* set the url to be redirected to once the token has been saved
*/
'msgraphLandingUri' => env('MSGRAPH_LANDING_URL'),
/*
set the tenant authorize URL
*/
'tenantUrlAuthorize' => env('MSGRAPH_TENANT_AUTHORIZE'),
/*
set the tenant token URL
*/
'tenantUrlAccessToken' => env('MSGRAPH_TENANT_TOKEN'),
/*
set the authorize URL
*/
'urlAuthorize' => 'https://login.microsoftonline.com/'.env('MSGRAPH_TENANT_ID', 'common').'/oauth2/v2.0/authorize',
/*
set the token URL
*/
'urlAccessToken' => 'https://login.microsoftonline.com/'.env('MSGRAPH_TENANT_ID', 'common').'/oauth2/v2.0/token',
/*
set the scopes to be used, Microsoft Graph API will accept up to 20 scopes
*/
'scopes' => 'offline_access openid calendars.readwrite contacts.readwrite files.readwrite mail.readwrite mail.send tasks.readwrite mailboxsettings.readwrite user.readwrite',
/*
The default timezone is set to Europe/London this option allows you to set your prefered timetime
*/
'preferTimezone' => env('MSGRAPH_PREFER_TIMEZONE', 'outlook.timezone="Europe/London"'),
/*
set the database connection
*/
'dbConnection' => env('MSGRAPH_DB_CONNECTION', 'mysql'),
];
Where I have changed the scopes to
'scopes' => 'AuditLog.Read.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All Directory.Read.All Directory.ReadWrite.All IdentityRiskyUser.Read.All Policy.Read.All RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read.All User.ReadWrite.All Exchange.ManageAsApp',
After changing the scopes, when I enter the proper mail and password it remains on the login page itself, not going forward.
答案1
得分: 1
我认为你需要添加 openid 范围。
openid 代表着登录权限。可以在 Microsoft 身份平台令牌端点使用 openid 范围来获取 ID 令牌。应用程序可以使用这些令牌进行身份验证。
你还删除了 offline_access 范围。是否添加此范围取决于你,但使用 offline_access 范围,你的应用程序可以接收刷新令牌。
英文:
I think you have to add openid scope.
'scopes' => 'openid AuditLog.Read.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All Directory.Read.All Directory.ReadWrite.All IdentityRiskyUser.Read.All Policy.Read.All RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read.All User.ReadWrite.All Exchange.ManageAsApp',
openid represents the sign-in permission. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication.
You also removed the offline_access scope. It's up to whether you add or not this scope but with the offline_access scope, your app can receive refresh tokens.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论