Web services Sharepoint Office 365 OAuth服务对list.asmx的身份验证_Web Services_Sharepoint_Oauth_Office365

Web services Sharepoint Office 365 OAuth服务对list.asmx的身份验证

web-services sharepoint oauth office365

Web services Sharepoint Office 365 OAuth服务对list.asmx的身份验证,web-services,sharepoint,oauth,office365,Web Services,Sharepoint,Oauth,Office365,我正在尝试从外部网站访问Office 365中的Sharepoint列表数据。我在Azure Active Directory中注册了我的应用程序，我已经完成了创建和信任证书以及获取访问令牌的所有过程 Add-Type -Path ".\Microsoft.IdentityModel.Clients.ActiveDirectory.dll" $authenticationContext = New-Object Microsoft.IdentityModel.Clients.ActiveDir

我正在尝试从外部网站访问Office 365中的Sharepoint列表数据。我在Azure Active Directory中注册了我的应用程序，我已经完成了创建和信任证书以及获取访问令牌的所有过程

Add-Type -Path ".\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"

$authenticationContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext -ArgumentList "https://login.microsoftonline.com/{myTenantId}/", $false

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cer.Import(".\WithPrivateKey.pfx", "privateKey", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)

$clientAssertion = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate -ArgumentList "{myClientId}", $cer

$authenticationResult = $authenticationContext.AcquireToken("https://{tenantName}.sharepoint.com", $clientAssertion)

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", "Bearer " + $authenticationResult.AccessToken)

通过在请求头中显示访问令牌，我可以成功调用Sharepoint REST Api

$response = Invoke-RestMethod -Uri https://{myTenantName}.sharepoint.com/sites/devSite/_vti_bin/ListData.svc/TestList -Method Get -Headers $headers

但是，无论何时尝试调用这些服务上的任何方法，我都无法访问asmx端点，例如Lists.asmx

$body = '<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
  <soap12:Body>
    <GetList xmlns="http://schemas.microsoft.com/sharepoint/soap/">
      <listName>TestList</listName>
    </GetList>
  </soap12:Body>
</soap12:Envelope>'

$response = Invoke-WebRequest -Uri https://{myTenantName}.sharepoint.com/sites/site/_vti_bin/Lists.asmx -Method Post -ContentType 'application/soap+xml' -Headers $headers -Body $body

$body=
测试列表
'
$response=Invoke WebRequest-urihttps://{myTenantName}.sharepoint.com/sites/site//\u vti\u bin/Lists.asmx-Method Post-ContentType'application/soap+xml'-Headers$Headers-Body$Body

ADAL从Azure AD获取的令牌仅用于Office 365 REST API（上面的代码使用OAuth2.0，该代码为REST API获取JSON湿令牌）。此令牌不适用于SharePoint web服务

要使用SharePoint web服务，我们需要使用对SharePoint进行身份验证 SharePoint声明身份验证。有关SharePoint身份验证的更多详细信息，您可以参考以下链接：

在深入研究.net Sharepoint客户端sdk之后，我发现了SharepointOnlineCredential类是如何做到这一点的，从而允许访问Sharepoint SOAP服务

因此，正如Fei Xue所说，Azure AD令牌对于访问Sharepoint SOAP服务无效（尽管该令牌对于允许访问REST服务有效…）。要访问Sharepoint Online services，您需要通过请求用户同意或直接使用已知用户和密码来使用某种声明身份验证

由于我们无法在php应用程序中使用.net SDK，我们已经研究了SDK在直接使用用户凭据时如何创建请求以获得身份验证：

首先将身份验证凭据作为SAML WSSecurity POST请求发送到身份验证端点：对该请求的响应将设置一个cookie，我们需要捕获该cookie并在对soap服务的下一个请求中使用它：

Set-Cookie: SPOIDCRL=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VHJ1ZSwwaC5mfG1lbWJlcnNoaXB8MTAwMzdmZmU5NTc2YzdlZUBsaXZlLmNvbSwwIy5mfG1lbWJlcnNoaXB8Y2xvdWRAYXNlbWJsaWFkZXYub25taWNyb3NvZnQuY29tLDEzMTAxMjE4ODQ0Mzc0NDcxMjsxMzA5NTg5NTQ0NTAwMDAwMDAsRmFsc2UsUCtRcmlFSFRkRnZCNkJEREZFek1mK3RVaGlzZTZtdnl1R0N4aXpjaWpyRUdxZk1BN1RpdTJNdGN0VE42TVNjdi9Cbjd2OXRxS2VPaTBzWTdlTnRqNkFESmRubFM2S0ttVjdoeHRWNjdtY3FlQVQzYWJGeDFEVFd5dEJsOWZ3MDJkZ2JTakV3eUM3WTRIWXg0ek5UYUtvUTZacGFXR0NjZ0svZEtEbloya3ozdGFBblVPM1gvUkxBeUorYkZac2RGclBCRGF4aDNTMGpBTml2VTBzb0pJR0FFRmdsQzVaMWhxU28rekZFMU5UV01oMXphMjNPYUU0TjJUNHVjd1BlaEREKzR4Ry9yMWdXMC9zOWdTaGxTMlc1U29iVDhTY2NyYi80aG9Xb1Y2TWxva0t1bXBNOWc4cCtxb0xFL3dtaElDUm9MRGhQSXR1anhoSjlqb2lZY1RBPT0saHR0cHM6Ly9hc2VtYmxpYWRldi5zaGFyZXBvaW50LmNvbS9fdnRpX2Jpbi9pZGNybC5zdmMvPC9TUD4=; path=/; secure; HttpOnly

最后，通过将此cookie附加到Sharepoint Services的每个请求，我们可以得到经过身份验证的响应：

POSThttps://yourtenantname.sharepoint.com/_vti_bin/Lists.asmx HTTP/1.1
主持人：yourtentname.sharepoint.com
内容类型：应用程序/soap+xml；字符集=utf-8
内容长度：[计算]
曲奇：SPOIDCRL=77u/PD94BWGDMVYC2LVBJ0IMS4WIBLBMNvzgluz0IdxRmlTpz48U1A+VHJ1zSWAC5Mfg1LbwjLbwjLbWjLcNcNc8Tc2YzDdLbWjLbWjLcNc5Nc2LbWc2LbWjLc2LbWc2LbJ0IbJ0IMS4IbS4WIBLBzLbWzLbWzLbWzLbWzLbWzLbWzLbWzLbWzLbWzLbWzLc2Lc2Lc2IbWzLc2IbWzLbWzLbWzLbWzLc2IdBzLbWzLc2IbWgLc2IdBzLbWzLc2IdAffzazrnHD5RefqmKWmZrzjDaulzQe929QAK13EM5ITKg4BhveqxDkCvLlde16NSTOUA84切割机切割机切割机切割机切割机切割机切割机切割机切割机切割机切割机切割机切割机切割机切割机切割机Lzanjnazdrvazb3pt0sahr0chm6ly9hc2vtymxpywrldi5zagfyzbvaw50lmnvbs9fdnrpx2jpbi9pzgnybc5zdmmvpc9tud4=；路径=/；保护HttpOnly

我理解，但是该链接使用重定向来获得用户同意，但是我们不能让用户参与，因为这是服务器到服务器的身份验证。如果是这样，您需要使用Office 365 REST API或SharePoint REST服务，而不是SharePoint web服务。SharePoint Online client SDK允许您这样做，使用用户帐户和密码，但无需用户同意。由于这是一个php应用程序，我们不能使用sdk，但需要使用原始http，请参阅下面的答案。很好的发现。你们调查过请求用户同意的流程吗？

....
<wst:RequestedSecurityToken>
    <wsse:BinarySecurityToken Id="Compact0">t=EwA4A06hBwAUNfDkMme61kIdXqvj9tWnUbHtXWEAAREB5clgLb8J/VvxRFIKLUnd9SRyoBHmTHFk0viit2FMlGXak5NJKJhicT8MiZmgA2HoTrJM1EgXCNUpmWqrX1LQRNfs0PHEV4XncjI9lnphsSTiFSCDjmdCKtW4TmV8n18xJHvBtDUWdvCT2lBti8/gf1oiqD5lQBPtxr+d4OwNtJHADEKpC/YIoatcKqgxI480tlWOZHpEL1wifo5EDMDRRc985ObMCZ31fPdSpA7WIbDzlZYX9ou6Cq7EybrIHsAcr5cPIJ8y0FRUacma9+dMxqr/lILAIyAYz/GdTNffa2Q3zJOSWW5RcnigtCApHgf83HjW8DqC6NgTrXs6rpUDZgAACC/4JZlSLB3JCALIntkKmNtRl2JLvwUljkXrP5jg5ipK/J/fGF3oc46aP/YT3VnrrD6TCV5ZECki5ycYZ6JR5RDK6OSqI9c5FDfFS/YmSCcdcaJ1cG2Ug3Oz3w14mznYGwmvrgyGvw35aoyjnKZALw8OQ2Ddi97gbe03L4rrM7CxTGwEPgoKCK7USkwxZT+myLJASVhd29+eNsTqd7wuphhLrzbgYZ+7swlJb3oIJw/2T7YvJ4fTPByaLxGaBt7iry74aSh/RnXdH3snOQnsr63bXqqoDJGcj7A3aIpElw2LlW2/PGh84zke3corp2q/jg7PEKCnV8PYN2xiwSfqY9vNCny14xhHEPsK8FWDBOPDpgeC18qz+FpTN0rGUMXl20bxJGxGqnQ+s8k0Gu9yTxoZKWPSeVihJk6qUQo6KJb/NE/QRco94QDUjMYi+gccGN0D1ouUe+O0fb0InXeM+98qfXJLQAjoUtgS8rRJUAqFk5XVwebGbx0ICRv3Q/wiJ7T5yUryMBTtwbaGf/07QuGTv9CW2UTsV9zT1nMSRDfUpelZrgZt6huLnDRLC8yVHfXjndMwONdymxWcD9sLb8EcNmTUFHDfBrv8XFb50PNJAV4qvK8CgVmWu2C2GWXoZfYkaR6o6jpliQdT5NcNnb9wNy36OqDnIWl0ZNM1SOzVX0yQOLeaf8+1bslaafyYMAbhcAI=&amp;p=
   </wsse:BinarySecurityToken>
</wst:RequestedSecurityToken>                
...

GET https://yourtenantname/_vti_bin/idcrl.svc/ 
Host: yourtenant.sharepoint.com
Authorization: BPOSIDCRL t=EwA4A06hBwAUNfDkMme61kIdXqvj9tWnUbHtXWEAAREB5clgLb8J/VvxRFIKLUnd9SRyoBHmTHFk0viit2FMlGXak5NJKJhicT8MiZmgA2HoTrJM1EgXCNUpmWqrX1LQRNfs0PHEV4XncjI9lnphsSTiFSCDjmdCKtW4TmV8n18xJHvBtDUWdvCT2lBti8

Set-Cookie: SPOIDCRL=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VHJ1ZSwwaC5mfG1lbWJlcnNoaXB8MTAwMzdmZmU5NTc2YzdlZUBsaXZlLmNvbSwwIy5mfG1lbWJlcnNoaXB8Y2xvdWRAYXNlbWJsaWFkZXYub25taWNyb3NvZnQuY29tLDEzMTAxMjE4ODQ0Mzc0NDcxMjsxMzA5NTg5NTQ0NTAwMDAwMDAsRmFsc2UsUCtRcmlFSFRkRnZCNkJEREZFek1mK3RVaGlzZTZtdnl1R0N4aXpjaWpyRUdxZk1BN1RpdTJNdGN0VE42TVNjdi9Cbjd2OXRxS2VPaTBzWTdlTnRqNkFESmRubFM2S0ttVjdoeHRWNjdtY3FlQVQzYWJGeDFEVFd5dEJsOWZ3MDJkZ2JTakV3eUM3WTRIWXg0ek5UYUtvUTZacGFXR0NjZ0svZEtEbloya3ozdGFBblVPM1gvUkxBeUorYkZac2RGclBCRGF4aDNTMGpBTml2VTBzb0pJR0FFRmdsQzVaMWhxU28rekZFMU5UV01oMXphMjNPYUU0TjJUNHVjd1BlaEREKzR4Ry9yMWdXMC9zOWdTaGxTMlc1U29iVDhTY2NyYi80aG9Xb1Y2TWxva0t1bXBNOWc4cCtxb0xFL3dtaElDUm9MRGhQSXR1anhoSjlqb2lZY1RBPT0saHR0cHM6Ly9hc2VtYmxpYWRldi5zaGFyZXBvaW50LmNvbS9fdnRpX2Jpbi9pZGNybC5zdmMvPC9TUD4=; path=/; secure; HttpOnly

POST https://yourtenantname.sharepoint.com/_vti_bin/Lists.asmx HTTP/1.1
Host: yourtenantname.sharepoint.com
Content-Type: application/soap+xml; charset=utf-8
Content-Length: [calculate]
Cookie: SPOIDCRL=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VHJ1ZSwwaC5mfG1lbWJlcnNoaXB8MTAwMzdmZmU5NTc2YzdlZUBsaXZlLmNvbSwwIy5mfG1lbWJlcnNoaXB8Y2xvdWRAYXNlbWJsaWFkZXYub25taWNyb3NvZnQuY29tLDEzMTAxMjExNjM5MjM3NTM1ODsxMzA5NTg5NTQ0NTAwMDAwMDAsRmFsc2UsdEFEQUZZSnZiMFF6cWxFSFlKOGRPN1d1cnJ5RzJvcGxTelBueWFMUzhrNitjenBGT0JVK292M1VkSWhydGU3TXFMOHRJaFFzazRrNHd5REFqMklDUDcyMWpES3hKWmZRZjdaUlZQeisrUi92c09Qak13em5ITkg4bHVEQXdKcVlLdE16NStoaU84cUtTRzNZWEJYbWF4SDk1cDZtSDlaMVRzaFVDRXZMZ3ZIbkt6aWlPclh4UDE2RDBmZHlTRWxsU0Radmt2Tkg0UHBLT2VGbjI5S25qSk9veDVha21TZVlIbTY2ZnF5S0tpOUJmMHdjRmlyelNRZzBWZTc4NW1JZ1ZaQUY2VTArVEI0QVRvVXRVVFFqTnd4ODJEZE9jbWlqQ25NUTUzUHUrWEFIT25lenFVb1dPTXovVWk5V2VSTUMvMWZiOUpsUmZMNlZaNjNaZDRVazB3PT0saHR0cHM6Ly9hc2VtYmxpYWRldi5zaGFyZXBvaW50LmNvbS9fdnRpX2Jpbi9pZGNybC5zdmMvPC9TUD4=; path=/; secure; HttpOnly

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
  <soap12:Body>
    <GetListCollection xmlns="http://schemas.microsoft.com/sharepoint/soap/" />
  </soap12:Body>
                </soap12:Envelope>