node.js - GET https ://graph. microsoft.com/v1.0/me 返回 401(未经授权)，前提是具有 User.Read 权限的有效访问 token

Question

我使用“simple-oauth2”生成一个访问 token ，如下所示

import { AuthorizationCode } from 'simple-oauth2';

scopes = ['offline_access', 'https://outlook.office.com/IMAP.AccessAsUser.All',
          'https://outlook.office.com/SMTP.Send','User.Read'];

async getCredentials(code: string) {
    const client = new AuthorizationCode(this.oauthConfig);

    let tokenParams = {
        code,
        redirect_uri: config.MICROSOFT_CREDENTIALS.REDIRECT_URIS[0],
        scope: this.scopes.join(' ')
    }

    return await client.getToken(tokenParams)
};

// Result from getCredentials
AccessToken {
  token: {
    token_type: 'Bearer',
    scope: 'https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/User.Read',
    expires_in: 3599,
    ext_expires_in: 3599,
    access_token: 'eyJ0eXAiOiJKV1QiLCJub25jZSI6I...',
    refresh_token: '0.ATUAd-LjmxfEgkWp0wIFCKwhpRA-z-...',     
    expires_at: 2020-09-25T01:13:08.970Z
  }
}

关注此guide ，然后我将 access_token 字段传递给 https://graph.microsoft.com/v1.0/me 的 GET 请求

getUserProfile(accessToken: string) {
     return axios.get("https://graph.microsoft.com/v1.0/me", {
         headers: {
            Authorization: 'Bearer ' + accessToken,
            'Content-Type': 'application/json'
        }
     })
     .then((res) => {
         return res.data;
     })
     .catch((reason) => {
         console.log("getUserProfile failed");
         console.log(reason);
     })
};

此操作失败并出现以下错误

getUserProfile failed
Error: Request failed with status code 401
    at createError (C:\Users\me\Desktop\projects\proj\node_modules\axios\lib\core\createError.js:16:15)
    at settle (C:\Users\me\Desktop\projects\proj\node_modules\axios\lib\core\settle.js:17:12)
    at IncomingMessage.handleStreamEnd (C:\Users\me\Desktop\projects\proj\node_modules\axios\lib\adapters\http.js:236:11)
    at IncomingMessage.emit (events.js:323:22)
    at IncomingMessage.EventEmitter.emit (domain.js:482:12)
    at endReadableNT (_stream_readable.js:1204:12)
    at processTicksAndRejections (internal/process/task_queues.js:84:21) {
  config: {
    url: 'https://graph.microsoft.com/v1.0/me',
    method: 'get',
    headers: {
      Accept: 'application/json, text/plain, */*',
      Authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IjByZ0t3MFRLOEF...',
      'Content-Type': 'application/json',
      'User-Agent': 'axios/0.19.2'
    },
    transformRequest: [ [Function: transformRequest] ],
    transformResponse: [ [Function: transformResponse] ],
    timeout: 0,
    adapter: [Function: httpAdapter],
    xsrfCookieName: 'XSRF-TOKEN',
    xsrfHeaderName: 'X-XSRF-TOKEN',
    maxContentLength: -1,
    validateStatus: [Function: validateStatus],
    data: undefined
  },
  request: ClientRequest {
    _events: [Object: null prototype] {
      socket: [Function],
      abort: [Function],
      aborted: [Function],
      error: [Function],
      timeout: [Function],
      prefinish: [Function: requestOnPrefinish]
    },
    _eventsCount: 6,
    _maxListeners: undefined,
    outputData: [],
    outputSize: 0,
    writable: true,
    _last: true,
    chunkedEncoding: false,
    shouldKeepAlive: false,
    useChunkedEncodingByDefault: false,
    sendDate: false,
    _removedConnection: false,
    _removedContLen: false,
    _removedTE: false,
    _contentLength: 0,
    _hasBody: true,
    _trailer: '',
    finished: true,
    _headerSent: true,
    socket: TLSSocket {
      _tlsOptions: [Object],
      _secureEstablished: true,
      _securePending: false,
      _newSessionPending: false,
      _controlReleased: true,
      _SNICallback: null,
      servername: 'graph.microsoft.com',
      alpnProtocol: false,
      authorized: true,
      authorizationError: null,
      encrypted: true,
      _events: [Object: null prototype],
      _eventsCount: 9,
      connecting: false,
      _hadError: false,
      _parent: null,
      _host: 'graph.microsoft.com',
      _readableState: [ReadableState],
      readable: true,
      _maxListeners: undefined,
      _writableState: [WritableState],
      writable: false,
      allowHalfOpen: false,
      _sockname: null,
      _pendingData: null,
      _pendingEncoding: '',
      server: undefined,
      _server: null,
      ssl: [TLSWrap],
      _requestCert: true,
      _rejectUnauthorized: true,
      parser: null,
      _httpMessage: [Circular],
      [Symbol(res)]: [TLSWrap],
      [Symbol(asyncId)]: 1233,
      [Symbol(kHandle)]: [TLSWrap],
      [Symbol(lastWriteQueueSize)]: 0,
      [Symbol(timeout)]: null,
      [Symbol(kBuffer)]: null,
      [Symbol(kBufferCb)]: null,
      [Symbol(kBufferGen)]: null,
      [Symbol(kCapture)]: false,
      [Symbol(kBytesRead)]: 0,
      [Symbol(kBytesWritten)]: 0,
      [Symbol(connect-options)]: [Object]
    },
    connection: TLSSocket {
      _tlsOptions: [Object],
      _secureEstablished: true,
      _securePending: false,
      _newSessionPending: false,
      _controlReleased: true,
      _SNICallback: null,
      servername: 'graph.microsoft.com',
      alpnProtocol: false,
      authorized: true,
      authorizationError: null,
      encrypted: true,
      _events: [Object: null prototype],
      _eventsCount: 9,
      connecting: false,
      _hadError: false,
      _parent: null,
      _host: 'graph.microsoft.com',
      _readableState: [ReadableState],
      readable: true,
      _maxListeners: undefined,
      _writableState: [WritableState],
      writable: false,
      allowHalfOpen: false,
      _sockname: null,
      _pendingData: null,
      _pendingEncoding: '',
      server: undefined,
      _server: null,
      ssl: [TLSWrap],
      _requestCert: true,
      _rejectUnauthorized: true,
      parser: null,
      _httpMessage: [Circular],
      [Symbol(res)]: [TLSWrap],
      [Symbol(asyncId)]: 1233,
      [Symbol(kHandle)]: [TLSWrap],
      [Symbol(lastWriteQueueSize)]: 0,
      [Symbol(timeout)]: null,
      [Symbol(kBuffer)]: null,
      [Symbol(kBufferCb)]: null,
      [Symbol(kBufferGen)]: null,
      [Symbol(kCapture)]: false,
      [Symbol(kBytesRead)]: 0,
      [Symbol(kBytesWritten)]: 0,
      [Symbol(connect-options)]: [Object]
    },
    _header: 'GET /v1.0/me HTTP/1.1\r\n' +
      'Accept: application/json, text/plain, */*\r\n' +
      'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IjByZ0t...\r\n' +
      'Content-Type: application/json\r\n' +
      'User-Agent: axios/0.19.2\r\n' +
      'Host: graph.microsoft.com\r\n' +
      'Connection: close\r\n' +
      '\r\n',
    _onPendingData: [Function: noopPendingOutput],
    agent: Agent {
      _events: [Object: null prototype],
      _eventsCount: 2,
      _maxListeners: undefined,
      defaultPort: 443,
      protocol: 'https:',
      options: [Object],
      requests: {},
      sockets: [Object],
      freeSockets: {},
      keepAliveMsecs: 1000,
      keepAlive: false,
      maxSockets: Infinity,
      maxFreeSockets: 256,
      maxCachedSessions: 100,
      _sessionCache: [Object],
      [Symbol(kCapture)]: false
    },
    socketPath: undefined,
    method: 'GET',
    insecureHTTPParser: undefined,
    path: '/v1.0/me',
    _ended: true,
    res: IncomingMessage {
      _readableState: [ReadableState],
      readable: false,
      _events: [Object: null prototype],
      _eventsCount: 3,
      _maxListeners: undefined,
      socket: [TLSSocket],
      connection: [TLSSocket],
      httpVersionMajor: 1,
      httpVersionMinor: 1,
      httpVersion: '1.1',
      complete: true,
      headers: [Object],
      rawHeaders: [Array],
      trailers: {},
      rawTrailers: [],
      aborted: false,
      upgrade: false,
      url: '',
      method: null,
      statusCode: 401,
      statusMessage: 'Unauthorized',
      client: [TLSSocket],
      _consuming: false,
      _dumped: false,
      req: [Circular],
      responseUrl: 'https://graph.microsoft.com/v1.0/me',
      redirects: [],
      [Symbol(kCapture)]: false
    },
    aborted: false,
    timeoutCb: null,
    upgradeOrConnect: false,
    parser: null,
    maxHeadersCount: null,
    reusedSocket: false,
    _redirectable: Writable {
      _writableState: [WritableState],
      writable: true,
      _events: [Object: null prototype],
      _eventsCount: 2,
      _maxListeners: undefined,
      _options: [Object],
      _redirectCount: 0,
      _redirects: [],
      _requestBodyLength: 0,
      _requestBodyBuffers: [],
      _onNativeResponse: [Function],
      _currentRequest: [Circular],
      _currentUrl: 'https://graph.microsoft.com/v1.0/me',
      [Symbol(kCapture)]: false
    },
    [Symbol(kCapture)]: false,
    [Symbol(kNeedDrain)]: false,
    [Symbol(corked)]: 0,
    [Symbol(kOutHeaders)]: [Object: null prototype] {
      accept: [Array],
      authorization: [Array],
      'content-type': [Array],
      'user-agent': [Array],
      host: [Array]
    }
  },
  response: {
    status: 401,
    statusText: 'Unauthorized',
    headers: {
      'cache-control': 'private',
      'content-type': 'application/json',
      'request-id': '6026815f-6c31-48c3-9b70-a6eb3cda8e44',
      'client-request-id': '6026815f-6c31-48c3-9b70-a6eb3cda8e44',
      'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West US","Slice":"SliceC","Ring":"5","ScaleUnit":"002","RoleInstance":"AGSFE_IN_13"}}',
      'www-authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000"',
      'strict-transport-security': 'max-age=31536000',
      date: 'Fri, 25 Sep 2020 00:13:11 GMT',
      connection: 'close',
      'content-length': '330'
    },
    config: {
      url: 'https://graph.microsoft.com/v1.0/me',
      method: 'get',
      headers: [Object],
      transformRequest: [Array],
      transformResponse: [Array],
      timeout: 0,
      adapter: [Function: httpAdapter],
      xsrfCookieName: 'XSRF-TOKEN',
      xsrfHeaderName: 'X-XSRF-TOKEN',
      maxContentLength: -1,
      validateStatus: [Function: validateStatus],
      data: undefined
    },
    request: ClientRequest {
      _events: [Object: null prototype],
      _eventsCount: 6,
      _maxListeners: undefined,
      outputData: [],
      outputSize: 0,
      writable: true,
      _last: true,
      chunkedEncoding: false,
      shouldKeepAlive: false,
      useChunkedEncodingByDefault: false,
      sendDate: false,
      _removedConnection: false,
      _removedContLen: false,
      _removedTE: false,
      _contentLength: 0,
      _hasBody: true,
      _trailer: '',
      finished: true,
      _headerSent: true,
      socket: [TLSSocket],
      connection: [TLSSocket],
      _header: 'GET /v1.0/me HTTP/1.1\r\n' +
        'Accept: application/json, text/plain, */*\r\n' +
        'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IjByZ0...\r\n' +
        'Content-Type: application/json\r\n' +
        'User-Agent: axios/0.19.2\r\n' +
        'Host: graph.microsoft.com\r\n' +
        'Connection: close\r\n' +
        '\r\n',
      _onPendingData: [Function: noopPendingOutput],
      agent: [Agent],
      socketPath: undefined,
      method: 'GET',
      insecureHTTPParser: undefined,
      path: '/v1.0/me',
      _ended: true,
      res: [IncomingMessage],
      aborted: false,
      timeoutCb: null,
      upgradeOrConnect: false,
      parser: null,
      maxHeadersCount: null,
      reusedSocket: false,
      _redirectable: [Writable],
      [Symbol(kCapture)]: false,
      [Symbol(kNeedDrain)]: false,
      [Symbol(corked)]: 0,
      [Symbol(kOutHeaders)]: [Object: null prototype]
    },
    data: { error: [Object] }
  },
  isAxiosError: true,
  toJSON: [Function]

Documentation对于/me 和 guide声明我只需要 User.Read 来获取我的权限，并且我的 headers 是正确的，所以我不知道为什么会失败。我用于测试的 Microsoft 帐户是工作帐户。

我曾短暂尝试过使用 Graph SDK，但我觉得这种方法已经成功了 99%。

总体而言，我正在尝试保存用户的电子邮件地址，以便我可以使用 OAuth2 token 通过 IMAP 和 SMTP 连接到 O365。如果我将我所知道的电子邮件地址硬编码为一切正常，那么通过图表自动检索用户的电子邮件地址是我最不需要的。

Answer 1

您不应使用不属于该 API 的 token 。您正在调用 Microsoft graph api，但您正在请求 Outlook 的 token ，因此您只需将范围更改为:

scopes = ['offline_access', 'https://graph.microsoft.com/.default'];

另一种方法是保留当前范围并调用 GET https://outlook.office365.com/api/v2.0/me/ 来获取登录用户的信息。