如何使用 Azure AD Graph API 创建 API 范围
How to create a API scope using Azure AD Graph API
我正在尝试使用 Azure AD Graph API 为 Azure AD B2C 应用程序创建 API 范围。这是使用门户中的“Expose an API”blade 执行的操作。
我试过像这样将作用域直接添加到应用程序中:
var current = await graphClient.Applications[appId].Request().GetAsync();
var currentList = current.Api.Oauth2PermissionScopes ?? new List<PermissionScope>();
var newScope = new PermissionScope
{
AdminConsentDescription = scopeDescription,
AdminConsentDisplayName = scopeDescription,
IsEnabled = true,
Type = "Admin",
Value = scopeName
};
var updated = new Application {
Api = new ApiApplication {
Oauth2PermissionScopes = currentList.Append(newScope).ToList()
}
};
await graphClient.Applications[appId].Request().UpdateAsync(updated);
但是,当我这样做时,出现异常:
Microsoft.Graph.ServiceException
Code: ValueRequired
Message: Property api.oauth2PermissionScopes.id value is required but is empty or missing.
这是否意味着我需要单独创建作用域然后将其添加到应用程序中?查看 Graph API 文档,如何做到这一点并不明显,我也没有找到任何讨论它的文章。
如何使用 Graph API 创建 API 范围?
如果要使用 Microsoft Graph API 为 Azure AD B2C 应用程序创建 API 范围,我们需要定义 PermissionScope 对象。该对象应提供 id(它是 GUID)。
例如
-
授予 API 权限
- 管理、select API 权限.
- 在配置的权限下,select 添加权限。
- Select Microsoft API 选项卡,然后 select Microsoft Graph。
- Select 应用程序权限.
- Select 权限复选框 Application.ReadWrite.All 授予您的应用程序。
- Select添加权限。按照指示,等待几分钟再继续下一步。
- Select 授予管理员同意(您的租户名称)。
创建客户端密码
代码
static async Task Main(string[] args)
{
string clientId = "0159ec7d-f99f-***";
string clientSecret = "G_fM3QKa***essTRX23t1_o";
string tenantDomain = "{your tenat name}.onmicrosoft.com";
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantDomain)
.WithClientSecret(clientSecret)
.Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var id = "fa89ac50-d5fd-47cb-9f3f-833f413a2ed4";
var app =await graphClient.Applications[id].Request().GetAsync();
var updated = new Application();
if (app.IdentifierUris.ToList().Count == 0) {
updated.IdentifierUris = new string[] { $"https://{tenantDomain}/{app.AppId}" };
}
var appscope = app.Api.Oauth2PermissionScopes.ToList();
var newScope = new PermissionScope
{
Id = Guid.NewGuid(),
AdminConsentDescription = "Allow the application to have read-only access to all Employee data",
AdminConsentDisplayName = "Read-only access to Employee records",
IsEnabled = true,
Type = "Admin",
Value = "Employees.Read.All"
};
appscope.Add(newScope);
updated.Api = new ApiApplication { Oauth2PermissionScopes =appscope };
await graphClient.Applications[id].Request().UpdateAsync(updated);
}
详情请参考here。
我正在尝试使用 Azure AD Graph API 为 Azure AD B2C 应用程序创建 API 范围。这是使用门户中的“Expose an API”blade 执行的操作。
我试过像这样将作用域直接添加到应用程序中:
var current = await graphClient.Applications[appId].Request().GetAsync();
var currentList = current.Api.Oauth2PermissionScopes ?? new List<PermissionScope>();
var newScope = new PermissionScope
{
AdminConsentDescription = scopeDescription,
AdminConsentDisplayName = scopeDescription,
IsEnabled = true,
Type = "Admin",
Value = scopeName
};
var updated = new Application {
Api = new ApiApplication {
Oauth2PermissionScopes = currentList.Append(newScope).ToList()
}
};
await graphClient.Applications[appId].Request().UpdateAsync(updated);
但是,当我这样做时,出现异常:
Microsoft.Graph.ServiceException
Code: ValueRequired
Message: Property api.oauth2PermissionScopes.id value is required but is empty or missing.
这是否意味着我需要单独创建作用域然后将其添加到应用程序中?查看 Graph API 文档,如何做到这一点并不明显,我也没有找到任何讨论它的文章。
如何使用 Graph API 创建 API 范围?
如果要使用 Microsoft Graph API 为 Azure AD B2C 应用程序创建 API 范围,我们需要定义 PermissionScope 对象。该对象应提供 id(它是 GUID)。
例如
授予 API 权限
- 管理、select API 权限.
- 在配置的权限下,select 添加权限。
- Select Microsoft API 选项卡,然后 select Microsoft Graph。
- Select 应用程序权限.
- Select 权限复选框 Application.ReadWrite.All 授予您的应用程序。
- Select添加权限。按照指示,等待几分钟再继续下一步。
- Select 授予管理员同意(您的租户名称)。
创建客户端密码
代码
static async Task Main(string[] args)
{
string clientId = "0159ec7d-f99f-***";
string clientSecret = "G_fM3QKa***essTRX23t1_o";
string tenantDomain = "{your tenat name}.onmicrosoft.com";
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantDomain)
.WithClientSecret(clientSecret)
.Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var id = "fa89ac50-d5fd-47cb-9f3f-833f413a2ed4";
var app =await graphClient.Applications[id].Request().GetAsync();
var updated = new Application();
if (app.IdentifierUris.ToList().Count == 0) {
updated.IdentifierUris = new string[] { $"https://{tenantDomain}/{app.AppId}" };
}
var appscope = app.Api.Oauth2PermissionScopes.ToList();
var newScope = new PermissionScope
{
Id = Guid.NewGuid(),
AdminConsentDescription = "Allow the application to have read-only access to all Employee data",
AdminConsentDisplayName = "Read-only access to Employee records",
IsEnabled = true,
Type = "Admin",
Value = "Employees.Read.All"
};
appscope.Add(newScope);
updated.Api = new ApiApplication { Oauth2PermissionScopes =appscope };
await graphClient.Applications[id].Request().UpdateAsync(updated);
}
详情请参考here。