我正在将“AAD 代码替换为 MSAL”
登录页面首先点击Starup.cs
这里我使用用户信息生成令牌,如果生成的令牌我检查了jwt编码器,它显示了范围。
启动.cs
var graphApiResource ="https://graph.microsoft.com/";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(this.Configuration["Authentication:AzureAd:ClientId"])
.WithRedirectUri(x.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey])
.WithClientSecret(this.Configuration["Authentication:AzureAd:ClientSecret"])
.WithAuthority(this.Configuration["Authentication:AzureAd:AADInstance"] + this.Configuration["Authentication:AzureAd:TenantId"])
.Build();
var scopes = new string[] { $"{graphApiResource}/.default" };
AuthenticationResult authenticationResult;
authenticationResult = await app.AcquireTokenByAuthorizationCode(scopes, x.ProtocolMessage.Code).ExecuteAsync();
var token = authenticationResult.AccessToken;
这工作得很好。 在这个startup.cs代码从userinfo.cs运行之后,它正在生成令牌,但由于我在生成令牌时没有传递任何用户详细信息,生成的令牌内部没有范围,无法成功使用它。
用户信息.cs
var graphApiResource ="https://graph.microsoft.com/";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(this.configuration["Authentication:AzureAd:ClientId"])
.WithRedirectUri($"{this.httpContextAccessor?.HttpContext.Request.Scheme}://{this.httpContextAccessor?.HttpContext.Request.Host}{this.configuration["Authentication:AzureAd:CallbackPath"]}")
.WithClientSecret(this.configuration["Authentication:AzureAd:ClientSecret"])
.WithAuthority(this.configuration["Authentication:AzureAd:AADInstance"] + this.configuration["Authentication:AzureAd:TenantId"])
.Build();
var scopes = new string[] { $"{graphApiResource}/.default" };
AuthenticationResult authenticationResult;
authenticationResult = await app.AcquireTokenForClient(scopes).ExecuteAsync();
var token = authenticationResult.AccessToken;
请注意,在使用解码令牌的
roles
声明中可见的客户端凭据流时,您需要授予Application类型的权限。
我注册了一个 Azure AD 应用程序并授予了
API permissions
的 Application 类型,如下所示:
现在,我使用客户端凭据流程和代码生成了访问令牌,如下所示:
using Microsoft.Identity.Client;
var graphApiResource = "https://graph.microsoft.com/";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create("appID")
.WithClientSecret("secret")
.WithAuthority("https://login.microsoftonline.com/tenantId/oauth2/v2.0/authorize")
.Build();
var scopes = new string[] { $"{graphApiResource}/.default" };
AuthenticationResult authenticationResult;
authenticationResult = await app.AcquireTokenForClient(scopes).ExecuteAsync();
var token = authenticationResult.AccessToken;
Console.WriteLine($"Access Token: {token}\n");
回复:
为了确认,我在 jwt.ms 网站中解码了此令牌,该网站具有
roles
声明和 Application 权限,如下所示:
您现在可以使用此令牌来获取该租户中任何用户的用户信息,如下所示:
static async Task GetUserDetails(string accessToken, string userId)
{
var graphApiEndpoint = $"https://graph.microsoft.com/v1.0/users/{userId}";
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var jsonResponse = await client.GetStringAsync(graphApiEndpoint);
Console.WriteLine("User Details:");
Console.WriteLine(jsonResponse);
}
}
回复:
如果您的用例是获取登录用户详细信息,则必须使用委托流(例如授权代码流、交互流等)...通过授予委托权限来生成涉及用户交互的访问令牌.