Azure B2C 无法访问图形 api
Azure B2C cannot access graph api
我使用以下代码获得了访问令牌来获取图形客户端:
string graphResourceID = "https://graph.windows.net";
string tenantID = ConfigurationManager.AppSettings["ida:Domain"];
string aadInstance = "https://login.microsoftonline.com/" + tenantID +
"/oauth2/v2.0/token";
Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential credential = new Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential(clientId, appKey);
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance);
authenticationContext.TokenCache.Clear();
var authResult = await authenticationContext.AcquireTokenAsync(graphResourceID,clientcred);
然后尝试使用令牌通过 AD 图表获取已登录用户的信息 api:
Uri servicePointUri = new Uri(graphResourceID);
Uri serviceRoot = new Uri(servicePointUri, tenantID);
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,async () => await GetTokenForApplication());
var result = await activeDirectoryClient.Users.Where(u => u.ObjectId.Equals(userObjectID)).ExecuteAsync();
IUser user = result.CurrentPage.ToList().First();
return View(user);
但是,这个returns出现如下错误:
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "2bdae8ff-d935-4e01-80a1-78cbc8acf4de",
"date": "2017-08-09T18:07:40"
我确保 mu B2C 应用程序具有 Windows Active Directory 的 "Read and Write Directory Data" 权限:
有人可以帮忙吗?坚持了一段时间。 TIA
编辑
我也试过使用 Microsoft.Graph 但最终得到了同样的错误。另外,对于 B2C 用户,我认为最好暂时坚持使用 Azure Ad Graph api:https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph
看来你是用Azure AD库来操作Graph的API。我建议您可以使用 Microsoft.Graph 来做到这一点。请同时使用 Microsoft Graph 设置权限。
注意:不要忘记单击[授予权限]按钮。
下面是演示代码
string graphResourceId = "https://graph.microsoft.com/";
string authority = "https://login.microsoftonline.com/{0}";
string tenantId = "tenantId";
string clientId = "client Id";
string secretKey = "secret key"
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId,secret)).Result.AccessToken;
var graphserviceClient = new GraphServiceClient(
new DelegateAuthenticationProvider(
requestMessage =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.FromResult(0);
}));
var user = graphserviceClient.Users.Request().GetAsync().Result.FirstOrDefault();
测试结果:
更新:
我还使用 Azure B2c 使用 Azure AD graph API 进行了测试,它在我这边也能正常工作。我也分配了【读写目录数据】,点击【授予权限】,没有其他权限设置。
下面是我用来测试的demo代码
string graphResourceID = "https://graph.windows.net";
string tenantID = "tenant Id";
Uri servicePointUri = new Uri(graphResourceID);
Uri serviceRoot = new Uri(servicePointUri, tenantID);
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await GetAppTokenAsync());
var result = activeDirectoryClient.Users.ExecuteAsync().Result;
IUser user = result.CurrentPage.ToList().First();
private static async Task<string> GetAppTokenAsync()
{
string graphResourceID = "https://graph.windows.net";
string tenantID = "tenant id ";
//please remove v2 from the link
string aadInstance = "https://login.microsoftonline.com/" + tenantID +"/oauth2/token";
var clientId = "client Id";
var appKey = "secret key";
// Instantiate an AuthenticationContext for my directory (see authString above).
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance, false);
// Create a ClientCredential that will be used for authentication.
// This is where the Client ID and Key/Secret from the Azure Management Portal is used.
ClientCredential clientCred = new ClientCredential(clientId, appKey);
// Acquire an access token from Azure AD to access the Azure AD Graph (the resource)
// using the Client ID and Key/Secret as credentials.
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(graphResourceID, clientCred);
// Return the access token.
return authenticationResult.AccessToken;
}
测试结果:
如果它仍然不适合你。我建议您创建一个新的 Azure AD 应用程序并重试。
Packages.config:
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Microsoft.Azure.ActiveDirectory.GraphClient" version="2.1.1" targetFramework="net471" />
<package id="Microsoft.Data.Edm" version="5.6.4" targetFramework="net471" />
<package id="Microsoft.Data.OData" version="5.6.4" targetFramework="net471" />
<package id="Microsoft.Data.Services.Client" version="5.6.4" targetFramework="net471" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net471" />
<package id="System.Spatial" version="5.6.4" targetFramework="net471" />
</packages>
谢谢大家,我似乎使用了用于创建 B2C 目录的原始目录的租户 ID。因此代码找不到我的应用程序。我必须使用我的 Azure B2C 目录的租户 ID/domain 名称,通过单击门户右上角的切换目录来注册 B2C 应用程序。
我使用以下代码获得了访问令牌来获取图形客户端:
string graphResourceID = "https://graph.windows.net";
string tenantID = ConfigurationManager.AppSettings["ida:Domain"];
string aadInstance = "https://login.microsoftonline.com/" + tenantID +
"/oauth2/v2.0/token";
Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential credential = new Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential(clientId, appKey);
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance);
authenticationContext.TokenCache.Clear();
var authResult = await authenticationContext.AcquireTokenAsync(graphResourceID,clientcred);
然后尝试使用令牌通过 AD 图表获取已登录用户的信息 api:
Uri servicePointUri = new Uri(graphResourceID);
Uri serviceRoot = new Uri(servicePointUri, tenantID);
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,async () => await GetTokenForApplication());
var result = await activeDirectoryClient.Users.Where(u => u.ObjectId.Equals(userObjectID)).ExecuteAsync();
IUser user = result.CurrentPage.ToList().First();
return View(user);
但是,这个returns出现如下错误:
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "2bdae8ff-d935-4e01-80a1-78cbc8acf4de",
"date": "2017-08-09T18:07:40"
我确保 mu B2C 应用程序具有 Windows Active Directory 的 "Read and Write Directory Data" 权限:
有人可以帮忙吗?坚持了一段时间。 TIA
编辑
我也试过使用 Microsoft.Graph 但最终得到了同样的错误。另外,对于 B2C 用户,我认为最好暂时坚持使用 Azure Ad Graph api:https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph
看来你是用Azure AD库来操作Graph的API。我建议您可以使用 Microsoft.Graph 来做到这一点。请同时使用 Microsoft Graph 设置权限。
注意:不要忘记单击[授予权限]按钮。
下面是演示代码
string graphResourceId = "https://graph.microsoft.com/";
string authority = "https://login.microsoftonline.com/{0}";
string tenantId = "tenantId";
string clientId = "client Id";
string secretKey = "secret key"
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId,secret)).Result.AccessToken;
var graphserviceClient = new GraphServiceClient(
new DelegateAuthenticationProvider(
requestMessage =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.FromResult(0);
}));
var user = graphserviceClient.Users.Request().GetAsync().Result.FirstOrDefault();
测试结果:
更新:
我还使用 Azure B2c 使用 Azure AD graph API 进行了测试,它在我这边也能正常工作。我也分配了【读写目录数据】,点击【授予权限】,没有其他权限设置。
下面是我用来测试的demo代码
string graphResourceID = "https://graph.windows.net";
string tenantID = "tenant Id";
Uri servicePointUri = new Uri(graphResourceID);
Uri serviceRoot = new Uri(servicePointUri, tenantID);
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await GetAppTokenAsync());
var result = activeDirectoryClient.Users.ExecuteAsync().Result;
IUser user = result.CurrentPage.ToList().First();
private static async Task<string> GetAppTokenAsync()
{
string graphResourceID = "https://graph.windows.net";
string tenantID = "tenant id ";
//please remove v2 from the link
string aadInstance = "https://login.microsoftonline.com/" + tenantID +"/oauth2/token";
var clientId = "client Id";
var appKey = "secret key";
// Instantiate an AuthenticationContext for my directory (see authString above).
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance, false);
// Create a ClientCredential that will be used for authentication.
// This is where the Client ID and Key/Secret from the Azure Management Portal is used.
ClientCredential clientCred = new ClientCredential(clientId, appKey);
// Acquire an access token from Azure AD to access the Azure AD Graph (the resource)
// using the Client ID and Key/Secret as credentials.
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(graphResourceID, clientCred);
// Return the access token.
return authenticationResult.AccessToken;
}
测试结果:
如果它仍然不适合你。我建议您创建一个新的 Azure AD 应用程序并重试。
Packages.config:
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Microsoft.Azure.ActiveDirectory.GraphClient" version="2.1.1" targetFramework="net471" />
<package id="Microsoft.Data.Edm" version="5.6.4" targetFramework="net471" />
<package id="Microsoft.Data.OData" version="5.6.4" targetFramework="net471" />
<package id="Microsoft.Data.Services.Client" version="5.6.4" targetFramework="net471" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net471" />
<package id="System.Spatial" version="5.6.4" targetFramework="net471" />
</packages>
谢谢大家,我似乎使用了用于创建 B2C 目录的原始目录的租户 ID。因此代码找不到我的应用程序。我必须使用我的 Azure B2C 目录的租户 ID/domain 名称,通过单击门户右上角的切换目录来注册 B2C 应用程序。