Office365API，错误:令牌对索赔类型“”具有无效的“角色”值

Question

我正在尝试访问office 365 API，特别是Exchange。

我正在尝试开发一个服务器/守护进程应用程序来轮询一个共享收件箱，我在OAuth 2.0中使用了“OAuth”授予类型。我按照步骤在Active中生成一个应用程序，您可以从屏幕上看到该应用程序具有的权限：http://gyazo.com/a2d614a690115f8a6b65de00f46b1599

最后，我想开发一个Ruby应用程序来提取数据，但首先我要用cURL测试响应，下面是OAuth令牌请求：

curl -X POST https://login.windows.net/TENANT_KEY/oauth2/token \
  -F redirect_uri=http://spreadyDaemon \
  -F grant_type=client_credentials \
  -F resource=https://outlook.office365.com/ \
  -F client_id=XXXX \
  -F client_secret=XXXX=

它将返回一个JWT键，在解码时如下所示：

报头

{
  "x5t": "kriMPdmBvx68skT8-mPAB3BseeA", 
  "alg": "RS256", 
  "typ": "JWT"
}

索赔

{
  "ver": "1.0", 
  "aud": "https://outlook.office365.com/", 
  "iss": "https://sts.windows.net/TENANT_KEY/", 
  "oid": "17fa33ae-a0e9-4292-96ea-24ce8f11df21", 
  "idp": "https://sts.windows.net/TENANT_KEY/", 
  "appidacr": "1", 
  "exp": 1415986833, 
  "appid": "XXXX", 
  "tid": "e625eb3f-ef77-4c02-8010-c591d78b6c5f", 
  "iat": 1415982933, 
  "nbf": 1415982933, 
  "sub": "17fa33ae-a0e9-4292-96ea-24ce8f11df21"
}

但是，当我使用该令牌从Exchange请求任何内容时，我会得到一个401未经授权的文件，并将x-ms-诊断头设置为：

x-ms-diagnostics: 2000001;reason="The token has invalid value 'roles' for the claim type ''.";error_category="invalid_token"

以下是完整的标题：

HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/8.0
request-id: d08d01a8-7213-4a13-a598-08362b4dfa70
Set-Cookie: ClientId=WDALDNO0CAIOOZDZWTA; expires=Sat, 14-Nov-2015 16:40:59 GMT; path=/; HttpOnly
X-CalculatedBETarget: am3pr01mb0662.eurprd01.prod.exchangelabs.com
x-ms-diagnostics: 2000001;reason="The token has invalid value 'roles' for the claim type ''.";error_category="invalid_token"
X-DiagInfo: AM3PR01MB0662
X-BEServer: AM3PR01MB0662
X-AspNet-Version: 4.0.30319
Set-Cookie: exchangecookie=6bf68da033684824af21af3b0cdea6e3; expires=Sat, 14-Nov-2015 16:40:59 GMT; path=/; HttpOnly
Set-Cookie: X-BackEndCookie2=OrganizationAnchor@Fitzdares.onmicrosoft.com=u56Lnp2ejJqBz82am8zJx8zSzcmey9LLyZrI0p6cmp3SycjLm8eazcjIy83IgbmWi4Wbno2ajNGQkZKWnI2QjJCZi9GckJKBzc/Oy9LOzdLOy6vOycXLz8XKxoGaio2PjZvPztGPjZCb0ZqHnJeekZiak56djNGckJI=; expires=Sun, 14-Dec-2014 16:40:59 GMT; path=/EWS; secure; HttpOnly
Set-Cookie: X-BackEndCookie=OrganizationAnchor@Fitzdares.onmicrosoft.com=u56Lnp2ejJqBz82am8zJx8zSzcmey9LLyZrI0p6cmp3SycjLm8eazcjIy83IgbmWi4Wbno2ajNGQkZKWnI2QjJCZi9GckJKBzc/Oy9LOzdLOy6vOycXLz8XKxg==; expires=Sun, 14-Dec-2014 16:40:59 GMT; path=/EWS; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: DB4PR02CA0026
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
Date: Fri, 14 Nov 2014 16:40:59 GMT
Content-Length: 0

我不确定我是误解了一些文档，还是在某个地方遗漏了一步。然而，JWT缺少任何访问范围。我不确定如何向应用程序清单中添加特定的权限，如下所述：ExchangeScopes

我的清单就是这样出现的：

{
  "allowActAsForAllClients": null,
  "appId": "XXXX",
  "appMetadata": {
    "version": 0,
    "data": []
  },
  "appRoles": [],
  "availableToOtherTenants": false,
  "displayName": "Fitzdares",
  "errorUrl": null,
  "groupMembershipClaims": null,
  "homepage": "http://spreadyDaemon",
  "identifierUris": [
    "http://spreadyDaemon"
  ],
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoutUrl": null,
  "oauth2AllowImplicitFlow": false,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [],
  "oauth2RequirePostResponse": false,
  "passwordCredentials": [
    {
      "customKeyIdentifier": null,
      "endDate": "2016-11-14T16:30:45.0745603Z",
      "keyId": "46cce171-ed65-4828-8af7-d02af950e44a",
      "startDate": "2014-11-14T16:30:45.0745603Z",
      "value": null
    }
  ],
  "publicClient": null,
  "replyUrls": [
    "http://spreadyDaemon"
  ],
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
      "resourceAccess": [
        {
          "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
          "type": "Scope"
        },
        {
          "id": "185758ba-798d-4b72-9e54-429a413a2510",
          "type": "Scope"
        },
        {
          "id": "75767999-c7a8-481e-a6b4-19458e0b30a5",
          "type": "Scope"
        },
        {
          "id": "5eb43c10-865a-4259-960a-83946678f8dd",
          "type": "Scope"
        }
      ]
    },
    {
      "resourceAppId": "00000002-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
          "type": "Scope"
        },
        {
          "id": "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175",
          "type": "Scope"
        },
        {
          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
          "type": "Scope"
        }
      ]
    }
  ],
  "samlMetadataUrl": null,
  "defaultPolicy": [],
  "extensionProperties": [],
  "objectType": "Application",
  "objectId": "8af97a9f-74c7-499d-b29a-7fca6926d84e",
  "deletionTimestamp": null,
  "createdOnBehalfOf": null,
  "createdObjects": [],
  "manager": null,
  "directReports": [],
  "members": [],
  "memberOf": [],
  "owners": [],
  "ownedObjects": []
}

任何帮助都将不胜感激！

Answer 1

文卡特

我怀疑问题在于你是如何请求令牌的。您使用的是Exchange不支持的grant_type=client_credentials (至少目前不支持)。Exchange支持的唯一授予类型是authorization_code。见Matthias对11/4关于这篇文章的评论：http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx

这也可能有帮助：http://blogs.msdn.com/b/exchangedev/archive/2014/10/28/oauth2-in-action-with-the-release-of-office-365-calendar-contacts-and-mail.aspx

更新:现在支持客户端凭证流！http://blogs.msdn.com/b/exchangedev/archive/2015/01/22/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx

杰森

Answer 2

谢谢你的详细信息！您的问题可能与这个StackOverflow问题中讨论的问题相同，取消检查“完全访问用户邮箱”可能会修复您所看到的问题。

请告诉我，如果您有任何问题，或如果您是被拒绝访问，即使在取消检查该许可。

更新 Jason是对的-我们还不支持客户-凭证流。然而，我们非常接近于提供这方面的信息。因此，请在几周后继续关注博客，并宣布它是可用的，并说明如何使用它。

服务帐户的更新支持现已可用。有关更多细节，请参阅我们的博客公告。