如果已经通过身份验证,则获取 Azure AD 图形令牌
Get Azure AD Graph Token if already Authenticated
我对 Azure AD Graph 和身份验证过程还很陌生。我能够使用 Azure AD Graph 客户端合并单点登录,如本例中使用 .NET MVC 应用程序所见:https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web
我的困境是,即使我已经验证了我的会话,它仍然要求我再次登录以执行在下面的控制器中找到的操作:
public ActionResult Test()
{
if (Request.QueryString["reauth"] == "True")
{
//Send an OpenID Connect sign -in request to get a new set of tokens.
// If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
// The OpenID Connect middleware will return to this controller after the sign-in response has been handled.
HttpContext.GetOwinContext()
.Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
// Access the Azure Active Directory Graph Client
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
// Obtain the current user's AD objectId
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// Query and obtain the current user object from the Azure AD Graph Client
User user = (User)client.Users.
Where(u => u.ObjectId
.Equals(userObjectID, StringComparison.CurrentCultureIgnoreCase)).
ExecuteSingleAsync().
Result;
// Get the employee Id from Azure AD (via a directory extension)
IReadOnlyDictionary<string, object> extendedProperty = user.GetExtendedProperties();
object extendedProp = extendedProperty["extension_ExtensionId_employeeID"];
// Hash the employee Id
var empId = PasswordHash.ArgonHashString(extendedProp.ToString(), PasswordHash.StrengthArgon.Moderate);
// Send to the view for testing only
ViewBag.EmployeeName = user.DisplayName;
ViewBag.EmployeeEmail = user.Mail;
ViewBag.EmployeeId = empId;
return View();
}
我得到的错误是:
“/”应用程序中的服务器错误
需要授权
黄框内有如下几行代码:
Line 22: if (token == null || token.IsEmpty())
Line 23: {
Line 24: throw new Exception("Authorization Required.");
Line 25: }
Line 26: return token;
由于我对身份验证部分还很陌生,因此我需要一些有关如何获取当前会话令牌的指导,以免出现此错误。
我正在使用 Azure AD Graph,因为我在 Azure 中获取了一个我无法通过 Microsoft Graph 获取的特定目录扩展(目前并基于我当前的截止日期)。
任何建议都会有所帮助。
如果token为空,用户需要重新授权。如 code sample 所示,您可以使用 try catch 语句来处理异常:
try
{
}
catch (Exception e)
{
//
// The user needs to re-authorize. Show them a message to that effect.
//
ViewBag.ErrorMessage = "AuthorizationRequired";
return View(userList);
}
向用户显示消息(例如,Index.cshtml 在用户视图文件夹中):
@if (ViewBag.ErrorMessage == "AuthorizationRequired")
{
<p>You have to sign-in to see Users. Click @Html.ActionLink("here", "Index", "Users", new { reauth = true }, null) to sign-in.</p>
}
如果您想直接发送 OpenID Connect 登录请求以获取一组新的令牌而不是向用户显示错误消息,您可以使用:
catch (Exception e)
{
....
HttpContext.GetOwinContext()
.Authentication.Challenge(new AuthenticationProperties {RedirectUri = "/"},
OpenIdConnectAuthenticationDefaults.AuthenticationType);
.....
}
如果用户与 Azure AD 的会话仍然有效,则不会提示他们 credentials.The OpenID Connect 中间件将在处理登录响应后 return 到当前控制器.
我对 Azure AD Graph 和身份验证过程还很陌生。我能够使用 Azure AD Graph 客户端合并单点登录,如本例中使用 .NET MVC 应用程序所见:https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web
我的困境是,即使我已经验证了我的会话,它仍然要求我再次登录以执行在下面的控制器中找到的操作:
public ActionResult Test()
{
if (Request.QueryString["reauth"] == "True")
{
//Send an OpenID Connect sign -in request to get a new set of tokens.
// If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
// The OpenID Connect middleware will return to this controller after the sign-in response has been handled.
HttpContext.GetOwinContext()
.Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
// Access the Azure Active Directory Graph Client
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
// Obtain the current user's AD objectId
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// Query and obtain the current user object from the Azure AD Graph Client
User user = (User)client.Users.
Where(u => u.ObjectId
.Equals(userObjectID, StringComparison.CurrentCultureIgnoreCase)).
ExecuteSingleAsync().
Result;
// Get the employee Id from Azure AD (via a directory extension)
IReadOnlyDictionary<string, object> extendedProperty = user.GetExtendedProperties();
object extendedProp = extendedProperty["extension_ExtensionId_employeeID"];
// Hash the employee Id
var empId = PasswordHash.ArgonHashString(extendedProp.ToString(), PasswordHash.StrengthArgon.Moderate);
// Send to the view for testing only
ViewBag.EmployeeName = user.DisplayName;
ViewBag.EmployeeEmail = user.Mail;
ViewBag.EmployeeId = empId;
return View();
}
我得到的错误是:
“/”应用程序中的服务器错误 需要授权
黄框内有如下几行代码:
Line 22: if (token == null || token.IsEmpty())
Line 23: {
Line 24: throw new Exception("Authorization Required.");
Line 25: }
Line 26: return token;
由于我对身份验证部分还很陌生,因此我需要一些有关如何获取当前会话令牌的指导,以免出现此错误。
我正在使用 Azure AD Graph,因为我在 Azure 中获取了一个我无法通过 Microsoft Graph 获取的特定目录扩展(目前并基于我当前的截止日期)。
任何建议都会有所帮助。
如果token为空,用户需要重新授权。如 code sample 所示,您可以使用 try catch 语句来处理异常:
try
{
}
catch (Exception e)
{
//
// The user needs to re-authorize. Show them a message to that effect.
//
ViewBag.ErrorMessage = "AuthorizationRequired";
return View(userList);
}
向用户显示消息(例如,Index.cshtml 在用户视图文件夹中):
@if (ViewBag.ErrorMessage == "AuthorizationRequired")
{
<p>You have to sign-in to see Users. Click @Html.ActionLink("here", "Index", "Users", new { reauth = true }, null) to sign-in.</p>
}
如果您想直接发送 OpenID Connect 登录请求以获取一组新的令牌而不是向用户显示错误消息,您可以使用:
catch (Exception e)
{
....
HttpContext.GetOwinContext()
.Authentication.Challenge(new AuthenticationProperties {RedirectUri = "/"},
OpenIdConnectAuthenticationDefaults.AuthenticationType);
.....
}
如果用户与 Azure AD 的会话仍然有效,则不会提示他们 credentials.The OpenID Connect 中间件将在处理登录响应后 return 到当前控制器.