scopes not working in microsoft graph API

huangapple go评论71阅读模式
英文:

scopes not working in microsoft graph API

问题

在我的Laravel应用中,我正在使用https://github.com/dcblogdev/laravel-microsoft-graph包来与M365登录。在config/msgraph.php文件中更改了范围后,它之前一直正常工作。默认文件如下所示:

<?php

return [

    /*
    * the clientId is set from the Microsoft portal to identify the application
    * https://apps.dev.microsoft.com
    */
    'clientId' => env('MSGRAPH_CLIENT_ID'),

    /*
    * set the application secret
    */

    'clientSecret' => env('MSGRAPH_SECRET_ID'),

    /*
    * Set the url to trigger the oauth process this url should call return MsGraph::connect();
    */
    'redirectUri' => env('MSGRAPH_OAUTH_URL'),

    /*
    * set the url to be redirected to once the token has been saved
    */

    'msgraphLandingUri'  => env('MSGRAPH_LANDING_URL'),

    /*
    set the tenant authorize URL
    */

    'tenantUrlAuthorize' => env('MSGRAPH_TENANT_AUTHORIZE'),

    /*
    set the tenant token URL
    */
    'tenantUrlAccessToken' => env('MSGRAPH_TENANT_TOKEN'),

    /*
    set the authorize URL
    */
    'urlAuthorize' => 'https://login.microsoftonline.com/'.env('MSGRAPH_TENANT_ID', 'common').'/oauth2/v2.0/authorize',

    /*
    set the token URL
    */
    'urlAccessToken' => 'https://login.microsoftonline.com/'.env('MSGRAPH_TENANT_ID', 'common').'/oauth2/v2.0/token',

    /*
    set the scopes to be used, Microsoft Graph API will accept up to 20 scopes
    */

    'scopes' => 'offline_access openid calendars.readwrite contacts.readwrite files.readwrite mail.readwrite mail.send tasks.readwrite mailboxsettings.readwrite user.readwrite',

    /*
    The default timezone is set to Europe/London this option allows you to set your prefered timetime
    */
    'preferTimezone' => env('MSGRAPH_PREFER_TIMEZONE', 'outlook.timezone="Europe/London"'),

    /*
    set the database connection
    */
    'dbConnection' => env('MSGRAPH_DB_CONNECTION', 'mysql'),
];

我已更改范围如下:

'scopes' => 'AuditLog.Read.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All Directory.Read.All Directory.ReadWrite.All IdentityRiskyUser.Read.All Policy.Read.All RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read.All User.ReadWrite.All Exchange.ManageAsApp',

更改范围后,当我输入正确的邮箱和密码时,它仍然停留在登录页面,没有继续前进。

英文:

In my Laravel app, I am using https://github.com/dcblogdev/laravel-microsoft-graph package to Log in with M365. It was working fine till I changed the scopes in config/msgraph.php file. The default file is

&lt;?PHP
return [
/*
* the clientId is set from the Microsoft portal to identify the application
* https://apps.dev.microsoft.com
*/
&#39;clientId&#39; =&gt; env(&#39;MSGRAPH_CLIENT_ID&#39;),
/*
* set the application secret
*/
&#39;clientSecret&#39; =&gt; env(&#39;MSGRAPH_SECRET_ID&#39;),
/*
* Set the url to trigger the oauth process this url should call return MsGraph::connect();
*/
&#39;redirectUri&#39; =&gt; env(&#39;MSGRAPH_OAUTH_URL&#39;),
/*
* set the url to be redirected to once the token has been saved
*/
&#39;msgraphLandingUri&#39;  =&gt; env(&#39;MSGRAPH_LANDING_URL&#39;),
/*
set the tenant authorize URL
*/
&#39;tenantUrlAuthorize&#39; =&gt; env(&#39;MSGRAPH_TENANT_AUTHORIZE&#39;),
/*
set the tenant token URL
*/
&#39;tenantUrlAccessToken&#39; =&gt; env(&#39;MSGRAPH_TENANT_TOKEN&#39;),
/*
set the authorize URL
*/
&#39;urlAuthorize&#39; =&gt; &#39;https://login.microsoftonline.com/&#39;.env(&#39;MSGRAPH_TENANT_ID&#39;, &#39;common&#39;).&#39;/oauth2/v2.0/authorize&#39;,
/*
set the token URL
*/
&#39;urlAccessToken&#39; =&gt; &#39;https://login.microsoftonline.com/&#39;.env(&#39;MSGRAPH_TENANT_ID&#39;, &#39;common&#39;).&#39;/oauth2/v2.0/token&#39;,
/*
set the scopes to be used, Microsoft Graph API will accept up to 20 scopes
*/
&#39;scopes&#39; =&gt; &#39;offline_access openid calendars.readwrite contacts.readwrite files.readwrite mail.readwrite mail.send tasks.readwrite mailboxsettings.readwrite user.readwrite&#39;,
/*
The default timezone is set to Europe/London this option allows you to set your prefered timetime
*/
&#39;preferTimezone&#39; =&gt; env(&#39;MSGRAPH_PREFER_TIMEZONE&#39;, &#39;outlook.timezone=&quot;Europe/London&quot;&#39;),
/*
set the database connection
*/
&#39;dbConnection&#39; =&gt; env(&#39;MSGRAPH_DB_CONNECTION&#39;, &#39;mysql&#39;),
];

Where I have changed the scopes to

&#39;scopes&#39; =&gt; &#39;AuditLog.Read.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All Directory.Read.All Directory.ReadWrite.All IdentityRiskyUser.Read.All Policy.Read.All RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read.All User.ReadWrite.All Exchange.ManageAsApp&#39;,

After changing the scopes, when I enter the proper mail and password it remains on the login page itself, not going forward.

答案1

得分: 1

我认为你需要添加 openid 范围。

openid 代表着登录权限。可以在 Microsoft 身份平台令牌端点使用 openid 范围来获取 ID 令牌。应用程序可以使用这些令牌进行身份验证。

你还删除了 offline_access 范围。是否添加此范围取决于你,但使用 offline_access 范围,你的应用程序可以接收刷新令牌。

英文:

I think you have to add openid scope.

&#39;scopes&#39; =&gt; &#39;openid AuditLog.Read.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All Directory.Read.All Directory.ReadWrite.All IdentityRiskyUser.Read.All Policy.Read.All RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read.All User.ReadWrite.All Exchange.ManageAsApp&#39;,

openid represents the sign-in permission. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication.

You also removed the offline_access scope. It's up to whether you add or not this scope but with the offline_access scope, your app can receive refresh tokens.

huangapple
  • 本文由 发表于 2023年6月1日 19:06:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/76381243.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定