我创建了 azure ad Multi-Tenancy 应用程序以允许组织和公共(public)电子邮件。 目前正在 .net 控制台应用程序上进行测试。
var tenantId = "d0748657 ........";
var clientId = "23a9c7a6 ........";
var authorityUri = $"https://login.microsoftonline.com/common";
var redirectUri = "http://localhost";
var pca = PublicClientApplicationBuilder
.Create(clientId)
.WithAuthority(new Uri(authorityUri))
.WithRedirectUri(redirectUri)
.Build();
现在说到 smtpScope,我正在使用 https://outlook.office365.com/SMTP.Send
var smtpScope = new string[] { "https://outlook.office365.com/SMTP.Send", };
var accounts = await pca.GetAccountsAsync();
AuthenticationResult result = null;
if (accounts.Any())
result = await pca.AcquireTokenSilent(smtpScope, accounts.FirstOrDefault()).ExecuteAsync();
else
{
try
{
result = await pca.AcquireTokenInteractive(smtpScope).ExecuteAsync();
}
catch (MsalException ex)
{
Console.WriteLine($"Error acquiring access token: {ex}");
}
Console.WriteLine($"Token : {result.AccessToken}");
当我使用我的组织电子邮件登录时,我收到 token 并且一切正常,但当我使用我的个人 Outlook 帐户登录时,我收到此错误
获取访问 token 时出错:MSAL.Desktop.4.56.0.0.MsalServiceException: 错误代码:invalid_scope Microsoft.Identity.Client.MsalServiceException:为输入参数“范围”提供的资源值无效
我在这里缺少什么? smtpScope 不正确吗?
最佳答案
当我在我的环境中运行您的代码时,我在个人 Outlook 帐户中也遇到了相同的错误:
var tenantId = "d0748657 ........";
var clientId = "23a9c7a6 ........";
var authorityUri = $"https://login.microsoftonline.com/common";
var redirectUri = "http://localhost";
var pca = PublicClientApplicationBuilder
.Create(clientId)
.WithAuthority(new Uri(authorityUri))
.WithRedirectUri(redirectUri)
.Build();
var smtpScope = new string[] { "https://outlook.office365.com/SMTP.Send", };
var accounts = await pca.GetAccountsAsync();
AuthenticationResult result = null;
if (accounts.Any())
result = await pca.AcquireTokenSilent(smtpScope, accounts.FirstOrDefault()).ExecuteAsync();
else
{
try
{
result = await pca.AcquireTokenInteractive(smtpScope).ExecuteAsync();
}
catch (MsalException ex)
{
Console.WriteLine($"Error acquiring access token: {ex}");
}
Console.WriteLine($"Token : {result.AccessToken}");
回应:
AFAIK,
SMTP.Send
permission is currently available only for work or school(organizational) accounts, not personal Microsoft accounts after Feb 2023 to generate OAuth2 access token.
当我使用组织帐户再次运行相同的代码时,我在响应中成功获得了 token ,如下所示:
为了确认这一点,我对 jwt.ms 中的 token 进行了解码其中 aud
和 scp
声明如下:
或者,您可以通过添加 Mail.Send
切换到 Microsoft Graph API,以从个人 Outlook 帐户发送邮件。为此,请通过替换 scope 值来修改代码:
using Microsoft.Identity.Client;
var clientId = "appId";
var authorityUri = $"https://login.microsoftonline.com/common";
var redirectUri = "http://localhost";
var pca = PublicClientApplicationBuilder
.Create(clientId)
.WithAuthority(new Uri(authorityUri))
.WithRedirectUri(redirectUri)
.Build();
var graphScopes = new string[] { "https://graph.microsoft.com/Mail.Send" };
var accounts = await pca.GetAccountsAsync();
AuthenticationResult result = null;
if (accounts.Any())
{
result = await pca.AcquireTokenSilent(graphScopes, accounts.FirstOrDefault()).ExecuteAsync();
}
else
{
try
{
result = await pca.AcquireTokenInteractive(graphScopes).ExecuteAsync();
}
catch (MsalException ex)
{
Console.WriteLine($"Error acquiring access token: {ex}");
}
Console.WriteLine($"Token : {result.AccessToken}");
}
当我通过运行上述代码使用个人 Outlook 帐户登录时,我收到如下同意提示:
接受上述同意后,我在控制台中成功获取了访问 token ,如下所示:
引用: SMTP.Send OAuth permission not working for consumer accounts - Microsoft Q&A by Akshay-MSFT
关于.net - Azure AD 异常 Microsoft.Identity.Client.MsalServiceException : The provided value for the input parameter 'scope' is not valid,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/77234044/