I try to create an application, with which the user in another company/tenant could access his/her OneDrive storage. But failed. It's really appreciated that if anyone could tell me what or which steps I had made mistakes.
(I haded searched the posts and seems not the same issues reported here.)
Detail as below: The user ([email protected]), who is in Tenant X, wants to use the service/system (which is developed by Tenant Y) to access the files on his/her One Drive storage.
1.) Tenant Y had already got the Azure service and had subscribed Office 365 service (as the One Drive API need SPO license).
2.) With AAD in the Tenant Y, I added the user's email ([email protected]) in the active directory (AAD) as a guest user, and the user had received the notification email and accept it.
3.) With AAD in the Tenant Y, I registered a new application, selected Accounts in any organizational directory option from Supported account types section, setup the redirect URI.
4.) Added the delegated API privilege for Graph API (such as the Files.ReadWrite and Files.ReadWriteAll), and approved the new added privileges request.
5.) Created a new client secret for the application.
6.) With the tenant Id, client Id and client secret of the application, now I could start OAuth2 authentication flow for the user ([email protected]). And finally, I got the access token for this user.
7.) With the access token, it's no problem to get the user's profile https://graph.microsoft.com/v1.0/me
8.) It would complain 401 Unauthorized error for this request: https://graph.microsoft.com/v1.0/me/drive . (By the way, such request will be no problem for the user in the same Tenant Y)
Response as the following:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: application/json
request-id: ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2
client-request-id: ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East Asia","Slice":"SliceC","Ring":"4","ScaleUnit":"002","RoleInstance":"AGSFE_IN_19"}}
Strict-Transport-Security: max-age=31536000
Date: Wed, 24 Jun 2020 07:13:00 GMT
Content-Length: 249
{
"error": {
"code": "accessDenied",
"message": "There has been an error authenticating the request.",
"innerError": {
"date": "2020-06-24T07:13:01",
"request-id": "ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2"
}
}
}
- edited: 07/02 ---------------------------------------
Appended the request to get the access token:
1.) Use this GET request to get the authorization code: https://login.microsoftonline.com/{tenant-id-of-TenantY}/oauth2/v2.0/authorize?client_id={client-id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fpersonal%2Ftoken&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&prompt=consent&state=13570
2.) [email protected] sign in and approve the auth request, and the local http server would get the auth code.
3.) send POST request to: https://login.microsoftonline.com/{tenant-id-of-TenantY}/oauth2/v2.0/token, with the request parameters in body to get the access token, as the image in the link. screenshot of the POST request
4.) use the result access token to send target Graph API request. And the result would be as this image.Result of the /me/drive API
