代表用户获取 Azure AD 令牌 - NetCore2
Get Azure AD token on behalf of user - NetCore2
我正在尝试代表用户获取 Azure AD 令牌,以便我可以通过 Azure AD 应用程序访问一些资源(该应用程序连接到 SharePoint Online API)。
我的问题是代表用户获取令牌。我在我的应用程序中添加了具有权限的 Azure AD 应用程序作为 Auth 方法(使用 Visual Studio 2017 自动添加)。有没有办法使用内置身份验证代表用户获取令牌? (因为它已经重定向用户登录,如果他还没有的话)。
我已经尝试过类似的方法,但我认为此令牌是针对应用程序的,而不是代表用户的(如果我尝试访问 SharePoint,则会返回 401)。
string clientId = 'xxxxxxxx';
string clientSecret = 'xxxxxxxxx'
var credential = new ClientCredential(clientId, clientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync("https://MYSITE.onmicrosoft.com/APPID", credential);
I'm trying to get the Azure AD token on behalf of user so i can access some resources through Azure AD App ( the app connects to SharePoint Online API).
如果我们想要访问共享点,我们需要在 Azure AD 中创建一个有权访问 API 的应用程序。并且不要忘记授予权限。
The Microsoft Graph enables developers to access data from multiple Microsoft Cloud services including:
- Azure AD (for users and groups)
- Office 365
- SharePoint Online
- Exchange Online
- OneDrive for Business
- OneNote
- Planner
- Excel
- OneDrive Consumer
- Outlook.com
另一件事是资源应该是 https://graph.microsoft.com 而不是您的应用程序。
下面是演示代码
private static async Task<string> GetAppTokenAsync(string tenantId, string clientId, string username,string password)
{
var graphResource = "https://graph.microsoft.com";
string aadInstance = "https://login.microsoftonline.com/" + tenantId + "/oauth2/token";
//Instantiate an AuthenticationContext for my directory (see authString above).
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance, false);
// Create a ClientCredential that will be used for authentication.
//This is where the Client ID and Key / Secret from the Azure Management Portal is used.
UserPasswordCredential credential = new UserPasswordCredential(username, password); //username is email format
// Acquire an access token from Azure AD to access the Azure Microsoft Graph(the resource)
// using the Client ID and Key / Secret as credentials.
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(graphResource, clientId, credential);
// Return the access token.
return authenticationResult.AccessToken;
}
Is there any way to get the token on behalf of user using the built-in authentication? (since it already redirects the user to sign in if he isnt already).
是的,在用户通过身份验证后,您应该获取访问令牌以访问 SharePoint Online API/Microsoft Graph api。
您可以使用 OpenID Connect 中间件和 Active Directory 身份验证库 (ADAL.NET) 为使用 OAuth 2.0 协议的登录用户获取 JWT 不记名令牌:
// Because we signed-in already in the WebApp, the userObjectId is know
string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
// Using ADAL.Net, get a bearer token to access the TodoListService
AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
result = await authContext.AcquireTokenSilentAsync(AzureAdOptions.Settings.TodoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
您可以参考代码示例:Calling a web API in an ASP.NET Core web application using Azure AD。请将资源替换为 SharePoint Online API/Microsoft Graph api 以满足您的要求。
I've tried something like this, but i assume this token is for the app, not on behalf of the user (and gives 401 if i try to access SharePoint).
是的,您的代码使用 Client credentials grant flow,它使用应用程序自己的凭据而不是模拟用户,在调用其他网络服务时进行身份验证。
我正在尝试代表用户获取 Azure AD 令牌,以便我可以通过 Azure AD 应用程序访问一些资源(该应用程序连接到 SharePoint Online API)。
我的问题是代表用户获取令牌。我在我的应用程序中添加了具有权限的 Azure AD 应用程序作为 Auth 方法(使用 Visual Studio 2017 自动添加)。有没有办法使用内置身份验证代表用户获取令牌? (因为它已经重定向用户登录,如果他还没有的话)。
我已经尝试过类似的方法,但我认为此令牌是针对应用程序的,而不是代表用户的(如果我尝试访问 SharePoint,则会返回 401)。
string clientId = 'xxxxxxxx';
string clientSecret = 'xxxxxxxxx'
var credential = new ClientCredential(clientId, clientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync("https://MYSITE.onmicrosoft.com/APPID", credential);
I'm trying to get the Azure AD token on behalf of user so i can access some resources through Azure AD App ( the app connects to SharePoint Online API).
如果我们想要访问共享点,我们需要在 Azure AD 中创建一个有权访问 API 的应用程序。并且不要忘记授予权限。
The Microsoft Graph enables developers to access data from multiple Microsoft Cloud services including:
- Azure AD (for users and groups)
- Office 365
- SharePoint Online
- Exchange Online
- OneDrive for Business
- OneNote
- Planner
- Excel
- OneDrive Consumer
- Outlook.com
另一件事是资源应该是 https://graph.microsoft.com 而不是您的应用程序。
下面是演示代码
private static async Task<string> GetAppTokenAsync(string tenantId, string clientId, string username,string password)
{
var graphResource = "https://graph.microsoft.com";
string aadInstance = "https://login.microsoftonline.com/" + tenantId + "/oauth2/token";
//Instantiate an AuthenticationContext for my directory (see authString above).
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance, false);
// Create a ClientCredential that will be used for authentication.
//This is where the Client ID and Key / Secret from the Azure Management Portal is used.
UserPasswordCredential credential = new UserPasswordCredential(username, password); //username is email format
// Acquire an access token from Azure AD to access the Azure Microsoft Graph(the resource)
// using the Client ID and Key / Secret as credentials.
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(graphResource, clientId, credential);
// Return the access token.
return authenticationResult.AccessToken;
}
Is there any way to get the token on behalf of user using the built-in authentication? (since it already redirects the user to sign in if he isnt already).
是的,在用户通过身份验证后,您应该获取访问令牌以访问 SharePoint Online API/Microsoft Graph api。
您可以使用 OpenID Connect 中间件和 Active Directory 身份验证库 (ADAL.NET) 为使用 OAuth 2.0 协议的登录用户获取 JWT 不记名令牌:
// Because we signed-in already in the WebApp, the userObjectId is know
string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
// Using ADAL.Net, get a bearer token to access the TodoListService
AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
result = await authContext.AcquireTokenSilentAsync(AzureAdOptions.Settings.TodoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
您可以参考代码示例:Calling a web API in an ASP.NET Core web application using Azure AD。请将资源替换为 SharePoint Online API/Microsoft Graph api 以满足您的要求。
I've tried something like this, but i assume this token is for the app, not on behalf of the user (and gives 401 if i try to access SharePoint).
是的,您的代码使用 Client credentials grant flow,它使用应用程序自己的凭据而不是模拟用户,在调用其他网络服务时进行身份验证。