我有以下控制台应用程序,它与 SharePoint Online 集成。控制台应用程序托管在本地虚拟机上,并使用 ClientId、TenantID 和证书通过 SharePoint 进行身份验证,如下所示:-
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using PnP.Core.Auth;
using PnP.Core.Model.SharePoint;
using PnP.Core.Model.Teams;
using PnP.Core.QueryModel;
using PnP.Core.Services;
using PnP.Core.Services.Builder.Configuration;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Globalization;
using System.Runtime.CompilerServices;
using System.Security.Cryptography.X509Certificates;
using static Microsoft.ApplicationInsights.MetricDimensionNames.TelemetryContext;
using static System.Net.Mime.MediaTypeNames;
namespace ConsoleApp4
{
internal class Program
{
static async Task Main(string[] args)
{
var tenantId = "b***c";
var clientId = "7*****9";
var certificatePath = @"c:\CERT\SPDashBoardIntegration.pfx";
var certificatePassword = "***";
// Initialize a new service collection
var serviceCollection = new ServiceCollection();
// Load the certificate
var certificate = new X509Certificate2(certificatePath, certificatePassword, X509KeyStorageFlags.Exportable);
// Configure logging
serviceCollection.AddLogging(builder =>
{
builder.AddConsole();
});
// Add and configure PnP Core SDK
serviceCollection.AddPnPCore(options =>
{
options.PnPContext.GraphFirst = true; // Set true if you prefer to use Graph over CSOM when possible
// options.HttpRequests.UserAgent = "ISV|Contoso|ProductX";
options.Sites.Add("SiteToWorkWith", new PnPCoreSiteOptions
{
SiteUrl = "https://********.sharepoint.com/sites/********-******",
AuthenticationProvider = new X509CertificateAuthenticationProvider(clientId, tenantId, certificate)
});
});
int i = 0;
// Build the service provider
var serviceProvider = serviceCollection.BuildServiceProvider();
// Use the service provider to get the IPnPContextFactory instance
var pnpContextFactory = serviceProvider.GetRequiredService<IPnPContextFactory>();
// Now you can use the IPnPContextFactory to get a PnPContext and perform operations
var context = await pnpContextFactory.CreateAsync("SiteToWorkWith");
// Assume the fields where not yet loaded, so loading them with the list
var workOrderList = context.Web.Lists.GetByTitle("Work Orders", p => p.Title,
p => p.Fields.QueryProperties(p => p.InternalName,
p => p.FieldTypeKind,
p => p.TypeAsString,
p => p.Title));
现在我的问题是这是否是一种安全的方法?我的意思是,当虚拟机将 ClientID、客户端密钥和证书发送到 SharePoint Online 时,该信息在网络上是否安全?我的意思是,控制台应用程序在发送凭据(ClientID、客户端密钥和证书)时是否会以安全的方式与 SharePoint 进行通信?如果没有,那么我们如何确保这一点?
谢谢
可以通过使用 VM 的 Azure Active Directory (AAD) 托管标识(而不是将证书凭据直接存储在代码中)来提高所提供的代码的安全性。修改代码的方法如下:
删除定义tenantId、clientId、certificatePath 和certificatePassword 的行。
按照 Microsoft https://learn.microsoft.com/en-us/entra/identity/driven-identities-azure-resources/overview 的说明为本地 VM 启用托管标识。 将所需的权限(例如 Sites.Manage.All)分配给 Azure AD 应用程序注册中的托管标识以进行 SharePoint Online 访问。 3.更新PnP核心配置:
修改 serviceCollection.AddPnPCore 部分以使用 AzureADAuthenticationProvider 而不是 X509CertificateAuthenticationProvider。