从asp.net核心身份验证Web应用程序获取Microsoft Graph的访问令牌

时间:2017-06-02 19:32:48

标签: c# azure asp.net-core .net-core microsoft-graph

我有一个应用程序可以根据Azure AD对用户进行身份验证:

Startup.cs 

using Microsoft.AspNetCore.Authentication.Cookies;

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    services.AddAuthentication(
        SharedOptions => SharedOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);

    services.AddAuthorization(options =>
    {
        //Auth Policies using group claims
    });
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    //loggerFactory

    app.UseCookieAuthentication();

    app.UseOpenIdConnectAtuhentication(new OpenIdConnectOptions
    {
        ClientID = Configuration["Authentication:AzureAd:ClientId"],
        Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
        CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"]
    });

    //Mvc Routing
}

AccountController.cs 

 [HttpGet]
 public IActionResult SignIn()
 {
     return Challenge(
         new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectDefaults.AuthenticationScheme);
 }

在控制器上我想要保护我然后使用[Authorize(Policy = "Whatever")]

所有这些都很有效,所以我的问题是我已经拥有的cookie包含我需要的令牌,如果是这样,我只是用User.Claims之类的东西访问它,还是需要{{1}设置.net 4.6 Here的示例中的方式。

如果是后者,我如何在不使用Owin的情况下这样做?

我应该补充一点,虽然授权工作正常,但我现在要做的事情包括列出OU中的所有用户。为此,据我所知,我必须访问Microsoft Graph。也许,我走向了完全错误的方向?

1 个答案:

答案 0 :(得分:3)

您可以使用ADAL获取访问令牌。你可以在这里找到一个非常好的示例应用程序:https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore

以下是检索令牌的特别重要的部分:https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore/blob/master/WebApp-WebAPI-OpenIdConnect-DotNet/Startup.cs#L100

    private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
    {
        // Acquire a Token for the Graph API and cache it using ADAL.  In the TodoListController, we'll use the cache to acquire a token to the Todo List API
        string userObjectId = (context.Ticket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
        ClientCredential clientCred = new ClientCredential(ClientId, ClientSecret);
        AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectId, context.HttpContext.Session));
        AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
            context.ProtocolMessage.Code, new Uri(context.Properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey]), clientCred, GraphResourceId);

        // Notify the OIDC middleware that we already took care of code redemption.
        context.HandleCodeRedemption();
    }

您从Azure AD获取授权代码,您需要将该代码交换为您要调用的API的访问令牌或令牌。对于Microsoft Graph,请确保将资源URI设置为https://graph.microsoft.com(示例目标是Azure AD Graph API)。

然后,您可以按照此处所示调用API:https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore/blob/master/WebApp-WebAPI-OpenIdConnect-DotNet/Controllers/TodoController.cs#L31 

            string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
            AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
            ClientCredential credential = new ClientCredential(Startup.ClientId, Startup.ClientSecret);
            result = await authContext.AcquireTokenSilentAsync(Startup.TodoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

result包含您需要附加到HTTP请求的访问令牌。它将从会话缓存中静默检索。

我想指出,在ASP.NET Core 2.0中,整个过程要容易得多。那里的Open Id Connect身份验证处理程序实际上可以为您检索令牌。

相关问题
最新问题