练习使用OAuth访问Microsoft Graph

Mon 25 February 2019 / In categories Platform

MS Graph, OAuth

本练习基于模块Microsoft Graph Training Module - Build Python Django apps with Microsoft Graph

首先,克隆Git仓库

git clone --depth=1 https://github.com/microsoftgraph/msgraph-training-pythondjangoapp.git
cd msgraph-training-pythondjangoapp/

可以看到这个模块包括三个Demo:

  • 01-create-app
  • 02-add-aad-auth
  • 03-add-msgraph

我们跳过前两个Demo,直接进入第三个Demo 03-add-msgraph

cd Demos/03-add-msgraph/graph_tutorial

# 初始化python3的环境
pip3 install -r requirements.txt

# 创建配置文件
cp oauth_settings.yml.example oauth_settings.yml

App Registeration Portal注册一个APP(普通的微软账户即可),并获得相应的application idapplication secret,同时填写一个redirect_url,内容为http://localhost:8000/tutorial/callback,同时在Microsoft Graph Permissions中增加Files.ReadWrite.AppFolder

然后把上面的内容填写到配置文件oauth_settings.yml中去,结果如下:

app_id: 你app的ID
app_secret: 你app的secrete
redirect: http://localhost:8000/tutorial/callback
scopes: openid profile offline_access user.read calendars.read Files.ReadWrite.AppFolder
authority: https://login.microsoftonline.com/common
authorize_endpoint: /oauth2/v2.0/authorize
token_endpoint: /oauth2/v2.0/token

确保当前目录是msgraph-training-pythondjangoapp/Demos/03-add-msgraph/graph_tutorial,执行以下命令

# 生成数据库
python3 manage.py migrate
# 运行服务
python3 manage.py runserver

终端会显示

Performing system checks...

System check identified no issues (0 silenced).
February 24, 2019 - 10:24:48
Django version 2.1.3, using settings 'graph_tutorial.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

打开一个浏览器,访问http://127.0.0.1:8000/tutorial/(注意不是根目录哦)

点击Click here to sign in,之后会出现微软账户的登录界面,登录之后会出现一个对话框,问愿不愿意把账户权限赋给该App,点击同意,然后浏览器会自动跳转,返回http://127.0.0.1:8000/tutorial/。这时候授权就完毕了,点击Web页面的菜单上的HOME,可以你的用户名已经显示在HOME页面上了。

如何查看授权的token?编辑Demos/03-add-msgraph/graph_tutorial/tutorial/templates/tutorial/home.html,在 {% endblock %}之上加一行{{ request.session.oauth_token }}。然后返回浏览器,并刷新页面,就可以看到:

{'token_type': 'Bearer', 'scope': ['openid', 'profile', 'User.Read', 'Calendars.Read', 'Files.ReadWrite.AppFolder'], 'expires_in': 3599, 'ext_expires_in': 3599, 
'access_token': 'token内容', 'refresh_token': 'token内容', 'id_token': 'token内容', 'expires_at': 1551007760.170273}

上述的access_token,可以用来访问相应的资源,而refresh_token可以用来更新access_token

参考

Load Disqus Comments