如何从AAD获取用户个人资料照片?

时间:2017-12-16 01:44:43

标签: azure-active-directory microsoft-graph

我已成功在我的应用中使用AAD应用服务认证。我可以登录用户并检索他们的信息。但是,然后我尝试使用我在身份验证期间从AAD接收的访问令牌来访问Microsoft Graph。 (我想检索用户的个人资料图片。)但是我得到了一个"未经授权的"响应。我可以不使用此令牌访问Microsoft Graph吗?这是代码:

我使用此行从AAD获取令牌:

result = await authContext.AcquireTokenAsync(ServiceResourceId, clientId, redirectUri, new PlatformParameters(PromptBehavior.Auto, false));

然后我使用该令牌从Microsoft Graph请求访问令牌:

var newresult = await authContext.AcquireTokenAsync("https://graph.microsoft.com", clientId, redirectUri, new PlatformParameters(PromptBehavior.Auto, false)); 

然后我在MS Graph的HTTP请求的标题中使用这个新标记:

var client = new HttpClient();
string address = "https://graph.microsoft.com/v1.0/me/photo/$value";
var request = new HttpRequestMessage(HttpMethod.Get, address);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", newresult.AccessToken);
var response = await client.SendAsync(request);

返回的响应始终是"未经授权。"有人可以帮忙吗?当我向AAD注册此应用程序时,对于必需的权限,我检查了MS Graph下的所有框,只是为了确保不是问题。

以下是我发送给图表的令牌的jwt.io翻译:

部首:

{
      "typ": "JWT",
      "nonce": "AQABAAAAAABHh4kmS_aKT5XrjzxRAtHz1qgWQ-hlrP4_1OMfut-1OUpc-N2SpNqHzq0_d3W3onK3nxMYxfa_n0k1XDwY4goAv6zvokWoPOQ14gn-CiBj8yAA",
      "alg": "RS256",
      "x5t": "x478xyOplsM1H7NXk7Sx17x1upc",
      "kid": "x478xyOplsM1H7NXk7Sx17x1upc"
    }

有效载荷:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8da014d8-253b-4fbc-92ad-8aff7ec75f3e/",
  "iat": 1513560920,
  "nbf": 1513560920,
  "exp": 1513564820,
  "acr": "1",
  "aio": "Y2NgYHhv82Ru/jov7wYf48xP1f+Y7Da5KRuVfFWb/XfGlv0c8ncB",
  "altsecid": "1:live.com:000161108451EADE",
  "amr": [
    "pwd"
  ],
  "app_displayname": "MyClientApp",
  "appid": "<removed>",
  "appidacr": "0",
  "e_exp": 262800,
  "email": "jdoe@hotmail.com",
  "family_name": "Doe",
  "given_name": "John",
  "idp": "live.com",
  "ipaddr": "<removed>",
  "name": "John Doe",
  "oid": "<removed>",
  "platf": "3",
  "puid": "<removed>",
  "scp": "Bookings.Manage.All Bookings.Read.All Bookings.ReadWrite.All BookingsAppointment.ReadWrite.All Calendars.Read Calendars.Read.Shared Calendars.ReadWrite Calendars.ReadWrite.Shared Contacts.Read Contacts.Read.Shared Contacts.ReadWrite Contacts.ReadWrite.Shared Device.Command Device.Read DeviceManagementApps.Read.All DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.Read.All DeviceManagementRBAC.ReadWrite.All DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All EAS.AccessAsUser.All EduAdministration.Read EduAdministration.ReadWrite EduAssignments.Read EduAssignments.ReadBasic EduAssignments.ReadWrite EduAssignments.ReadWriteBasic EduRoster.Read EduRoster.ReadBasic EduRoster.ReadWrite email Files.Read Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All Files.ReadWrite.AppFolder Files.ReadWrite.Selected Financials.ReadWrite.All Group.Read.All Group.ReadWrite.All IdentityProvider.Read.All IdentityProvider.ReadWrite.All IdentityRiskEvent.Read.All Mail.Read Mail.Read.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared MailboxSettings.Read MailboxSettings.ReadWrite Member.Read.Hidden Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read People.Read.All profile Reports.Read.All Sites.FullControl.All Sites.Manage.All Sites.Read.All Sites.ReadWrite.All Tasks.Read Tasks.Read.Shared Tasks.ReadWrite Tasks.ReadWrite.Shared User.Invite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All UserTimelineActivity.Write.CreatedByApp",
  "sub": "9pWHLV_iWYAYPyU9jjECKINww-jeBz4dTxsYwCoHCfo",
  "tid": "<removed>",
  "unique_name": "live.com#jdoe@hotmail.com",
  "uti": "s-PBOt8MPE2gB0kwjIASAA",
  "ver": "1.0",
  "wids": [
    "62e90394-69f5-4237-9190-012177145e10"
  ]
}

0 个答案:

没有答案