使用AzureAd通过Asp.Net Core 2.2获取对“employeeId”或“jobTitle”的访问权限

要从Azure AD访问jobTitle到Claims，您需要获取accessstoken以通过Graph API获取jobTitle。

细节步骤。

1. 要获得accessstoken，您需要在Azure ClientSecret中提供App registrations
2. 应用程序注册 - >您的应用程序 - >设置 - >键 - > ClientSecret或任何用于键描述的字符串 - >为您自己的方案过期 - >复制生成的ClientSecret
3. Startup.cs public void ConfigureServices(IServiceCollection services) { services.Configure<CookiePolicyOptions>(options => { // This lambda determines whether user consent for non-essential cookies is needed for a given request. options.CheckConsentNeeded = context => true; options.MinimumSameSitePolicy = SameSiteMode.None; }); services.AddAuthentication(AzureADDefaults.AuthenticationScheme) .AddAzureAD(options => Configuration.Bind("AzureAd", options)); services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options => { options.ResponseType = "id_token code"; options.ClientSecret = "ClientSecret in Azure"; options.Events = new OpenIdConnectEvents { OnAuthorizationCodeReceived = async context => { // Acquire a Token for the Graph API and cache it using ADAL. In the TodoListController, we'll use the cache to acquire a token for the Todo List API string userObjectId = (context.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value; var authContext = new AuthenticationContext(context.Options.Authority); var credential = new ClientCredential(context.Options.ClientId, context.Options.ClientSecret); var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code, new Uri(context.TokenEndpointRequest.RedirectUri, UriKind.RelativeOrAbsolute), credential, "https://graph.microsoft.com"); // Notify the OIDC middleware that we already took care of code redemption. context.HandleCodeRedemption(authResult.AccessToken, context.ProtocolMessage.IdToken); HttpClient client = new HttpClient(); HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me"); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken); HttpResponseMessage response = await client.SendAsync(request); var result = await response.Content.ReadAsStringAsync(); // Parse your Result to an Array var jArray = JObject.Parse(result); // Index the Array and select your jobTitle var obj = jArray["jobTitle"].Value<string>(); var identity = context.Principal.Identity as ClaimsIdentity; identity.AddClaim(new Claim("jobTitle", obj)); await Task.Yield(); }, }; }); services.AddMvc(options => { var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); options.Filters.Add(new AuthorizeFilter(policy)); }) .SetCompatibilityVersion(CompatibilityVersion.Version_2_2); }