发生一个或多个错误。 (ROPC 不支持 MSA 帐户。有关详细信息,请参阅 https://aka.ms/msal-net-ropc。)
One or more errors occurred. (ROPC does not support MSA accounts. See https://aka.ms/msal-net-ropc for details. )
我邀请了一些用户使用我的网站 API。
邀请邮件发送成功,用户显示在Azure AD的用户列表中。
当用户尝试登录我的网站时 API 他们收到以下错误:
One or more errors occurred. (ROPC does not support MSA accounts. See
https://aka.ms/msal-net-ropc for details. )
下面的代码发送邀请
[EnableCors("CorsPolicy")]
[HttpPost, Route("invite")]
[AllowAnonymous]
[ProducesResponseType(200)]
[ProducesResponseType(400)]
[Produces("application/json")]
public ActionResult SendInvitation(UserModel user)
{
try
{
string clientId = Configuration["AzureAd:ClientId"];
string tenantID = Configuration["AzureAd:TenantId"];
string authority = Configuration["AzureAd:Authority"];
IPublicClientApplication app = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.WithAuthority(authority)
.Build();
string[] scopes = new string[] { "User.Invite.All" };
// Build the Microsoft Graph client. As the authentication provider, set an async lambda
// which uses the MSAL client to obtain an app-only access token to Microsoft Graph,
// and inserts this access token in the Authorization header of each API request.
GraphServiceClient graphServiceClient =
new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) =>
{
var securePassword = new SecureString();
foreach (char c in user.Password.ToCharArray()) // you should fetch the password
securePassword.AppendChar(c); // keystroke by keystroke
// Retrieve an access token for Microsoft Graph (gets a fresh token if needed).
var authResult = await app
.AcquireTokenByUsernamePassword(scopes, user.UserName, securePassword).ExecuteAsync();
// Add the access token in the Authorization header of the API request.
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
})
);
var invitation = new Invitation
{
InvitedUserEmailAddress = "user@email.com",
InviteRedirectUrl = "https://webapi.azurewebsites.net",
SendInvitationMessage = true
};
graphServiceClient.Invitations
.Request()
.AddAsync(invitation);
return Ok("Invitation sent.");
}
catch (Exception ex)
{
return BadRequest(ex.Message);
}
}
恐怕你的设计无法实现。
请参阅ROPC flow document中的重要提示。
无论是否邀请到 AAD 租户,MSA(个人帐户)都不能使用 ROPC。
ROPC 流仅适用于工作帐户。
linkhttps://aka.ms/msal-net-ropc中也有说明。
您可以考虑使用Client credentials flow(应用程序权限)或Auth code flow(委托权限,需要交互式登录)。
在 this link 中查找相关的身份验证提供程序示例。
我邀请了一些用户使用我的网站 API。
邀请邮件发送成功,用户显示在Azure AD的用户列表中。
当用户尝试登录我的网站时 API 他们收到以下错误:
One or more errors occurred. (ROPC does not support MSA accounts. See https://aka.ms/msal-net-ropc for details. )
下面的代码发送邀请
[EnableCors("CorsPolicy")]
[HttpPost, Route("invite")]
[AllowAnonymous]
[ProducesResponseType(200)]
[ProducesResponseType(400)]
[Produces("application/json")]
public ActionResult SendInvitation(UserModel user)
{
try
{
string clientId = Configuration["AzureAd:ClientId"];
string tenantID = Configuration["AzureAd:TenantId"];
string authority = Configuration["AzureAd:Authority"];
IPublicClientApplication app = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.WithAuthority(authority)
.Build();
string[] scopes = new string[] { "User.Invite.All" };
// Build the Microsoft Graph client. As the authentication provider, set an async lambda
// which uses the MSAL client to obtain an app-only access token to Microsoft Graph,
// and inserts this access token in the Authorization header of each API request.
GraphServiceClient graphServiceClient =
new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) =>
{
var securePassword = new SecureString();
foreach (char c in user.Password.ToCharArray()) // you should fetch the password
securePassword.AppendChar(c); // keystroke by keystroke
// Retrieve an access token for Microsoft Graph (gets a fresh token if needed).
var authResult = await app
.AcquireTokenByUsernamePassword(scopes, user.UserName, securePassword).ExecuteAsync();
// Add the access token in the Authorization header of the API request.
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
})
);
var invitation = new Invitation
{
InvitedUserEmailAddress = "user@email.com",
InviteRedirectUrl = "https://webapi.azurewebsites.net",
SendInvitationMessage = true
};
graphServiceClient.Invitations
.Request()
.AddAsync(invitation);
return Ok("Invitation sent.");
}
catch (Exception ex)
{
return BadRequest(ex.Message);
}
}
恐怕你的设计无法实现。
请参阅ROPC flow document中的重要提示。
无论是否邀请到 AAD 租户,MSA(个人帐户)都不能使用 ROPC。
ROPC 流仅适用于工作帐户。
linkhttps://aka.ms/msal-net-ropc中也有说明。
您可以考虑使用Client credentials flow(应用程序权限)或Auth code flow(委托权限,需要交互式登录)。
在 this link 中查找相关的身份验证提供程序示例。