我在 https://apps.dev.microsoft.com

具有以下应用程序权限:

with the following Application Permissions:

Calendars.Read(仅限管理员) Calendars.ReadWrite(仅限管理员) User.Read.All(仅限管理员)

以下是唯一对我有用的流程，能够订阅另一个租户上另一个用户的通知，如 这里

The following is the only flow that has worked for me to be able to subscribe to notifications of another user, on another tenant, as described here

管理员同意

然后通过此 URL 成功授予管理员同意

Admin consent was then successfully granted via this URL

https://login.microsoftonline.com/common/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth

获取访问令牌

然后从

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

带有标题

Content-Type=application/x-www-form-urlencoded

与{tenant}在回调url中返回tenant的值，

with {tenant} the value of tenant returned in the callback url,

和带有键值对的正文

grant_type=client_credentials
client_id=bbb35336-faee-4c10-84b4-34136634db41
client_secret=xxx
scope=https://graph.microsoft.com/.default

这将返回访问令牌，但不返回刷新令牌.

This returns an access token, but not a refresh token.

我认为这可能是因为未请求 offline_access.

I think this might be because offline_access isn't requested.

如何获取刷新令牌?

推荐答案

你部分正确，如果你请求 offline_access 范围，你只会收到一个 refresh_tokenem>并且您正在使用 authorization_code 授权流程.

You're partially correct, you will only receive a refresh_token if you request the offline_access scope and you are using the authorization_code grant flow.

刷新令牌在使用 implicit 授权时不可用，并且在使用 client_credentials 授权时是不必要的.使用 client_credentials 时，没有经过身份验证的用户，因此不需要刷新"令牌，因为您可以在需要时简单地请求新令牌.

Refresh tokens are not available when using the implicit grant and are unnecessary when using the client_credentials grant. When using client_credentials there isn't a user authenticated and therefore there isn't a need to "refresh" a token since you can simply request a new token when needed.