i have seen other posts similar, don't find real answer. "it coming", old.
i authenticating admin credentials our o365 , trying pull calendar information. scope has calendars.readwrite (which falls under app-only , delegate far scopes), returns 403. erroraccessdenied, "access denied. check credentials , try again"
the graph doc calendar views shows can send in users/{id} in request, , id's came when listed users. of course if use mine, works.
if there app-only scope vs delegate scope same scope name, how specify that?
is there have specify in o365 admin user has rights? can delete or create user account in o365, appears should have needs.
thanks
so, app-only has different flow.
first, instead of authenticating user @ "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", authenticate them @ "https://login.microsoftonline.com/common/adminconsent".
second, pass in same parameters minus "scope". scope determined application permissions defined in application registered @ apps.dev.microsoft.com.
third, when receive callback not have "code" use go , retrieve access , refresh tokens. instead, receive "tenant" property , "admin_consent" property. "admin_consent" tell whether have rights or not.
fourth, when requesting access token, not supply "scope" or "code" parameters, provide "resource" parameter, value "https://graph.microsoft.com".
lastly, url contact token change "https://login.microsoftonline.com/common/oauth2/v2.0/token" "https://login.microsoftonline.com/{tenant}/oauth2/token", {tenant} value returned.
please note in url "v2.0" missing. isn't typo. if not remove path errors invalid or missing "scope" parameter.
once returns access , refresh token, flow seems follow normal delegated access.
here couple of links microsoft gave me, guidance figure out.
https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
(big jeff @ microsoft)
Comments
Post a Comment