为OneDrive注册自己的应用
Registering your app for OneDrive API里面有提到,平台支持web和移动应用两种,而默认情况下是web应用,需要一或多个跳转URI。对于原生应用,可以选择移动应用。选择移动应用后跳转URI则变成urn:ietf:wg:oauth:2.0:oob(带外认证)了,正是我想要的结果!
OneDrive认证
OneDrive authentication and sign-in有个按钮可以获得测试Token,无需注册新的应用就可以请求到与登录账户绑定的、一个有效期1小时的开发者Token。从https://dev.onedrive.com/auth/get-token.js中我们可以看到其所用的http请求为TokenFlow,其跳转URI设为https://dev.onedrive.com/auth/callback.htm。而 OneDrive authentication and sign-in 中提到对于移动应用和桌面应用,跳转URI应设为https://login.live.com/oauth20_desktop.srf (注:使用urn:ietf:wg:oauth:2.0:oob的话,MSA连响应都没有)。
Token Flow测试
HTTP GET请求如下:
https://login.live.com/oauth20_authorize.srf?client_id=b9aaf3be-6892-42a5-8a04-4a87bc28ce7b&scope=onedrive.readonly+wl.signin&response_type=code&redirect_uri=https://login.live.com/oauth20_desktop.srf
响应如下,认证失败:
https://login.live.com/oauth20_desktop.srf?lc=1033#error=unsupported_response_type&error_description=The+provided+value+for+the+input+parameter+'response_type'+is+not+allowed+for+this+client.+Expected+value+is+'code'.
找了很久微软的帖子,也没说为什么Token Flow不要使,一直纠结是微软不支持还是我配置有问题。后来,看了RFC6749 The OAuth 2.0 Authorization Framework,才明白Token Flow就是规范里的Implicit GrantFlow。如果我的应用配置为web应用,是可以看到Allow ImplicitFlow选择框的。好吧,当选择移动应用时微软不支持Token Flow,我的配置没问题!!!
Code Flow测试
- 用于用户登录的HTTP GET请求如下:
https://login.live.com/oauth20_authorize.srf?client_id=b9aaf3be-6892-42a5-8a04-4a87bc28ce7b&scope=onedrive.readonly+wl.signin&response_type=token&redirect_uri=https://login.live.com/oauth20_desktop.srf
请求用户授权:
此时浏览器上地址变为:https://account.live.com/Consent/Update?ru=https://login.live.com/oauth20_authorize.srf?lc=1033&client_id=b9aaf3be-6892-42a5-8a04-4a87bc28ce7b&scope=onedrive.readonly+wl.signin&response_type=code&redirect_uri=https://login.live.com/oauth20_desktop.srf&uaid=78...e6&pid=...16&mkt=EN-US&scft=DSA...hfC&contextid=7F...D6&mkt=EN-US&uiflavor=host&id=27...69&uaid=78...e6&client_id=00...42&rd=none&scope=&cscope=onedrive.readonly+wl.signin - 最终跳转的地址包含了code参数:
- 获取访问令牌的HTTP POST请求包含上面获得的code参数:
POST https://login.live.com/oauth20_token.srf Content-Type: application/x-www-form-urlencoded client_id=b9aaf3be-6892-42a5-8a04-4a87bc28ce7b&redirect_uri=https://login.live.com/oauth20_desktop.srf&code=M9...5e-b...a-e...5-6685-d...06&grant_type=authorization_code
- 在OneDrive API中使用获得的访问令牌:
参考
Getting started with OneDrive API
SDKs for OneDrive integration
Registering your app for OneDrive API
OneDrive authentication and sign-in
Sign-in Microsoft Account & Azure AD users in a single app
Develop with the OneDrive API
getting #error=unsupported_response_type&error_description=AADSTS70005: with token request