我们使用 Microsoft Graph 在 .Net Core 2.0 应用中实现了身份验证，以针对 Azure AD 进行身份验证.

We've implemented Authentication in a .Net Core 2.0 app using Microsoft Graph to authenticate against Azure AD.

效果很好，我们的目标是使用 Microsoft Graph 访问 Office 365 数据.

That works fine and we were aiming to use Microsoft Graph for accessing Office 365 data.

不幸的是，经过深入审查，我们发现 任务目前不受 Microsoft Graph 支持，必须通过 Outlook REST API.

Unfortunately, on deeper review, we've found that Tasks are currently unsupported via Microsoft Graph and must be instead accessed via the Outlook REST API.

重要提示:Microsoft Graph 中/beta 版本下的 API 处于预览阶段，可能会发生变化.不支持在生产应用程序中使用这些 API.

Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.

我尝试在 Outlook REST API 标头中传递通过 Microsoft Graph 检索到的不记名令牌，但我收到 invalid token 错误.

I tried passing the Bearer Token retrieved via Microsoft Graph in the Outlook REST API headers but I get back an invalid token error.

我希望我只是做错了什么，这是一种有效的方法.

I'm hoping that I'm simply doing something wrong and this is a valid approach.

由于 MS Graph 是 Outlook REST API 和其他 API 的统一"替代品，是否可以使用 Microsoft Graph 令牌来访问 Outlook REST API?

Since MS Graph is the "unified" replacement for the Outlook REST API and others, can a Microsoft Graph token be used to access the Outlook REST API?

推荐答案

是的，这是正确的行为.令牌仅对特定的受众"有效，这由令牌内的 aud 声明指示.

Yes, this is correct behavior. Tokens are only valid for a particular "audience", which is indicated by the aud claim inside the token.

如果您获得了 Microsoft Graph API 的令牌，则 aud 参数将设置为 https://graph.microsoft.com.这与 Office 365 API 端点(https://outlook.office.com 或 https://outlook.office365.com)不匹配，因此令牌验证失败.您有两种选择.

If you obtained a token for the Microsoft Graph API, then the aud parameter would be set to https://graph.microsoft.com. This doesn't match the Office 365 API endpoint (https://outlook.office.com or https://outlook.office365.com), so the token validation fails. You have two options here.

在 Graph 中使用任务 API，即使它们处于测试阶段.确保在请求 Graph 令牌时获得刷新令牌(通过在 auth/token 请求中包含 offline_access 范围).然后使用该刷新令牌获取具有适当受众的第二个令牌. Use the tasks APIs in Graph even though they are in beta. Make sure that you obtain a refresh token when you request your Graph token (by including the offline_access scope in your auth/token requests). Then use that refresh token to obtain a second token with the proper audience.

您可以使用刷新令牌来请求与 Office 365 API 兼容的令牌，方法是在 刷新请求.例如，如果您使用 Tasks.Read 请求 Graph 令牌，您将在刷新请求中将 Tasks.Read 限定为 https://outlook.office.com/Tasks.Read.

You can use the refresh token to request an Office 365 API-compatible token by qualifying your scopes in the refresh request. For example, if you requested a Graph token with Tasks.Read, you would qualify Tasks.Read in your refresh request as https://outlook.office.com/Tasks.Read.