使用MS Graph API列出特定用户的日历事件。

huangapple go评论63阅读模式
英文:

List calendar events from specific user using MS Graph API

问题

我们正在尝试运行一些Arduino代码,以列出用户在我们的Azure AD中的日历中的所有事件。权限方面存在一些问题,因为我们中的一个人可以使用Graph explorer获取数据,但在使用Arduino代码进行身份验证时无法获取数据。

我们在AAD中设置了一个应用程序注册,具有以下所需的API权限(我们不确定是委托还是应用程序,因此两者都添加了,尽管我相当确定它是委托的,因为令牌使用的范围看到了)API权限

我们正在使用应用程序(客户端)ID和目录(租户)ID进行身份验证,以及一个登录。在设置期间,我们需要访问https://microsoft.com/devicelogin并使用代码进行Arduino的身份验证。

我们正在使用的库是ArduinoMSGraph@^0.2.0

此函数用于设置范围

graphClient.startDeviceLoginFlow(deviceCodeDoc, "offline_access%20openid%20Presence.Read%20Calendars.Read%20Calendars.ReadBasic%20Calendars.ReadWrite");

根据访问令牌,该范围也已获得批准(与我们在测试期间使用的一些其他范围一起)以下是解码令牌的一部分。我使用https://jwt.ms/来解码它。
范围

此函数用于执行GET请求

bool res = requestJsonApiButDifferent(responseDoc, "https://graph.microsoft.com/v1.0/users/<user>@<tenant>.nl/calendar/events", "", "GET", true);

(这是requestJsonApi()的稍微修改版本,因为在解析JSON数据时存在一些问题,但对于其他GET请求来说,它完全正常,因此编辑不应该影响身份验证的问题。您可以在这里找到我的函数版本)

似乎可以用这种方式获取出勤,但是当尝试访问另一个用户的日历事件时,我们无法这样做。

当运行上述提到的GET时,我们收到的错误是
requestJsonApi() - Other HTTP code: 403
JSON响应是

{
    "error": {
        "code": "ErrorAccessDenied",
        "message": "Access is denied. Check credentials and try again."
    }
}

这意味着这必须是与权限有关的问题,我们猜测它在AAD中应用程序的API权限中,但这就是我卡住的地方。我们按照多个指南的步骤来授予管理员同意,我们在API权限(如上所示)和企业权限上都这样做了。
图像说明在这里

这就是我们被卡住的地方。我们漏掉了什么?

我们会感激任何建议。如果需要提供更多信息以解决此问题,请告诉我。

英文:

We are trying to run some Arduino code that lists all events from the calendar of a user in our Azure AD.
There are some issues with the permissions as one of us is able to get the data using the Graph explorer but not when authenticated using the Arduino code.

We have set up a App registration in the AAD with the necessary API permissions as seen below (we weren't sure if it was Delegated or Application so we added both, though I am fairly certain it is Delegated seeing the scope that the token is using) API permissions

We are using the Application (client) ID and Directory (tenant) ID for authentication together with a login. During the setup we need to go to https://microsoft.com/devicelogin and use a code to authenticate the Arduino.

The library we're using is ArduinoMSGraph@^0.2.0

This function is used to set the scope
graphClient.startDeviceLoginFlow(deviceCodeDoc, &quot;offline_access%20openid%20Presence.Read%20Calendars.Read%20Calendars.ReadBasic%20Calendars.ReadWrite&quot;);

According to the access token the scope is also approved (together with some other scopes we used while testing)
Here is that part of the decoded token. I used https://jwt.ms/ to decode it.
scope

This function is called to do the GET request
bool res = requestJsonApiButDifferent(responseDoc, &quot;https://graph.microsoft.com/v1.0/users/&lt;user&gt;@&lt;tenant&gt;.nl/calendar/events&quot;, &quot;&quot;, &quot;GET&quot;, true);
(This is a slightly altered version of the original requestJsonApi() because there were some issues with parsing the JSON data but it works just fine for other GET requests so the edit shouldn't be an issue for the authentication. You can find my version of the function here)

And that seems to work fine to get the Presence but when trying to access the calender events for another user we are unable to do so.

The error we get when running the above mentioned GET is
requestJsonApi() - Other HTTP code: 403
The JSON repsonse is

{
    &quot;error&quot;: {
        &quot;code&quot;: &quot;ErrorAccessDenied&quot;,
        &quot;message&quot;: &quot;Access is denied. Check credentials and try again.&quot;
    }
}

This means it has to be an issue with the permissions and we guess it's in the API permissions for the Application in the AAD but this is were I'm stuck.
We followed multiple guides that tell me to grant Admin consent, which we did with the API permissions (as seen above) and with the Enterprise permissions.
enter image description here

This is where we're stuck. What are we missing?

We would appreciate any input. If I need to provide more information to solve this let me know.

答案1

得分: 0

如果您正在使用DeviceLogin,则将使用委托权限(例如,与进行身份验证的用户的凭据)。可能您遇到的问题是您尚未授予“Calendars.Read.Shared”委托权限,因为这将允许您读取除登录的用户之外的用户的日历,只要特定用户已被明确授权访问(通过Outlook委派或Add-MailboxFolderPermission等方式)。

英文:

If you are using a DeviceLogin then you will be using Delegate permissions (eg the credentials of whatever user is authenticating).

Probably your issue is that you haven't given Calendars.Read.Shared Delegate permission as this will allows you to read calendars of users other then the user that is logging on that this particular user has been granted explicit access to eg(via Outlook delegation or Add-MailboxFolderPermisssion etc).

答案2

得分: 0

原来我们需要将登录设备的帐户(即我)添加到Microsoft 365管理中心的代表列表中。

英文:

Turns out that we needed to add the account that logged in on the device (me) to the delegates list on the Microsoft 365 admin center.

huangapple
  • 本文由 发表于 2023年6月8日 18:54:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/76431101.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定