问题描述
我已经使用.NET5创建了一个WebAPI,使用Azure AD对用户进行身份验证。我正在使用Postman生成访问令牌,并且WebAPI在作为持有者传递访问令牌时起作用。
我想使用访问令牌调用Graph API来获取用户日历&;配置文件,但无法这样做。我已经关注了下面提到的几篇文章,但没有运气。
使用访问令牌调用/我图形API时出现无效的身份验证令牌错误仅使用我的组织的应用程序注册。我已将委派权限添加到Graph API。
已使用公开API创建自定义作用域,因为WebAPI引发签名无效错误。
我的WebAPI在StartUp.cs中配置服务代码:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
我的AppSettings.json
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "<Domain",
"ClientId": "<ClientId>",
"TenantId": "<TenantId>"
},
我试着关注了几篇代表Flow的文章
https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core
Struggle with MS Graph and asp.net Core API
我迷路了,非常感谢您的帮助。
EDIT1:
我尝试实现Farid建议的解决方案。 邮递员输出返回HTML响应以登录。它是一个ASP.NET Core 5 WebAPI,因此我将ConfigureServices代码更改为以下代码:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
我收到以下错误。
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions).
at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
更新:
我使用以下代码解决了该错误:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi() .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
我可以读取我的个人资料,但无法获取日历项目。这可能是由于管理员同意的要求。
推荐答案
根据您提供的信息,您的令牌似乎已过期,因此首先尝试重新生成令牌,此外,您已经添加了Delegated permissions
这很好,但我怀疑您在添加Graph API权限后是否添加了授予管理员同意。所以这是强制性的,请仔细检查一下。请参见下面的屏幕截图。请按照以下步骤使用Microsoft Graph API
获取令牌和用户信息
授予管理员同意:
令牌获取示例:
勾选appsettings.json
,应如下所示:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "yourdemain.onmicrosoft.com",
"TenantId": "",
"ClientId": "",
"ClientSecret": "",
"ClientCertificates": [
],
"CallbackPath": "/signin-oidc"
},
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "https://graph.microsoft.com/.default"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
string[] initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages()
.AddMicrosoftIdentityUI();
}
注意:您可以忽略
startup.cs
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes) .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
下的ConfigureServices
中的以下两项服务 因为我使用Graph API SDK
并从appsettings.json
所以在示例中,我为您的 测试用例。因此,这不是必需的,也不取决于您。
控制器操作:
public async Task<object> GetUserInfoFromGraphAPI()
{
try
{
//Initialize on behalf of user token aquisition service
var _tokenAcquisition = this.HttpContext.RequestServices.GetRequiredService<ITokenAcquisition>() as ITokenAcquisition;
//define the scope
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
//Getting token from Azure Active Directory
string accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(scopes);
//Request Grap API end point
HttpClient _client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, string.Format("https://graph.microsoft.com/v1.0/me"));
//Passing Token For this Request
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
HttpResponseMessage response = await _client.SendAsync(request);
//Get User into from grpah API
dynamic userInfo = JsonConvert.DeserializeObject<dynamic>(await response.Content.ReadAsStringAsync());
return userInfo;
}
catch (Exception ex)
{
throw;
}
}
输出:
注意:有关完整的解决方案,请访问GitHub Link
希望它能帮助您实现目标。
这篇关于ASP.NET Core 5 WebAPI-Azure AD-使用Azure广告访问令牌的调用图API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!