Question

我已经在Angular 4中使用Azure Active Directory实现了多租户应用程序。用户登录我的应用程序后，我可以获得用户信息。但是用户照片没有从Active目录中获取，因为我已经实现了Graph API如下面的片段。

public Task<UserDto> getPhoto(TenantDto tenantDto)
    {
        var client = new HttpClient();
        client.BaseAddress = new Uri(String.Format("https://graph.windows.net/{0}/users/{1}/thumbnailPhoto?api-version=1.6", tenantDto.tenantKey, tenantDto.email));
        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("image/jpeg"));
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tenantDto.token);
        HttpResponseMessage response = client.GetAsync("").Result;
        if (response.IsSuccessStatusCode)
        {
            return null;
            //Status status = response.Content.ReadAsAsync<Status>().Result;
            //if (status.Code == 200)
            //    InBoundResponse = JsonConvert.DeserializeObject<InBoundCallResponse>(status.Data.ToString());
            //return InBoundResponse;
        }
        else
        {
            return null;
        }
    }

此处tenantDto.token只是登录用户＆＃34;令牌＆＃34;在调用此图谱API时，我发现401 (Unauthorized)错误。我尝试了几乎没用过。我在Active Directory APP中更改了图形API设置，如下面的附件

此外，我尝试过以下代码，它仅适用于单租户

    [Route("AdUserImage"), HttpGet]
    public async Task<HttpResponseMessage> userImage()
    {
        var authContext = new AuthenticationContext("https://login.windows.net/sampletest.onmicrosoft.com/oauth2/token");
        var credential = new ClientCredential(clientID, clientSecret);
        ActiveDirectoryClient directoryClient = new ActiveDirectoryClient(serviceRoot, async () =>
        {
            var result = await authContext.AcquireTokenAsync("https://graph.windows.net/", credential);
            return result.AccessToken;
        });

        var user = await directoryClient.Users.Where(x => x.UserPrincipalName == "balu@sampletest.onmicrosoft.com").ExecuteSingleAsync();
        DataServiceStreamResponse photo = await user.ThumbnailPhoto.DownloadAsync();
        using (MemoryStream s = new MemoryStream())
        {
            photo.Stream.CopyTo(s);
            var encodedImage = Convert.ToBase64String(s.ToArray());
        }
        //string token = await HttpAppAuthenticationAsync();
        Status status = new Status("OK");
        status = new Status("Found", null, "User exists.");

        return Request.CreateResponse(HttpStatusCode.OK, status, _jsonMediaTypeFormatter);
    }

但我需要为多租户应用实施。

任何答案都赞赏。

先谢谢........！

Answer 1

委托用户令牌：

1.通过隐含流程获取令牌：

https://login.microsoftonline.com/{tenant}/oauth2/authorize?response_type=token&client_id={clientId}&redirect_uri={redirect_uri}&resource=https%3A%2F%2Fgraph.windows.net&nonce={nonce}

2.调用Azure AD Graph

GET: https://graph.windows.net/{tenant}/me/thumbnailPhoto?api-version=1.6
Content-Type: image/jpeg

申请令牌：

1.通过客户端凭证流

获取令牌

POST:https://login.microsoftonline.com/{tenant}/oauth2/token
grant_type=client_credentials&client_id={client_id}&client_secret={client_secret}&resource=https%3A%2F%2Fgraph.windows.net

2.调用Azure AD Graph

GET:https://graph.windows.net/{tenant}/users/{upn}/thumbnailPhoto?api-version=1.6
Content-Type: image/jpeg

如果您只是获取多租户的登录用户的缩略图照片，则应首先使用Azure AD登录并获取代理用户的访问令牌，并使用该令牌调用Azure AD Graph REST。这两种令牌的区别，可以参考下面的链接：

Get access on behalf of a user

Get access without a user

在多租户应用程序中获取Active Directory用户映像中的401（未授权）错误

1 个答案: