我已委派用户权限User.ReadBasic.All
。在documentation中,它声明了
”允许该应用代表已登录的用户读取组织中其他用户的基本配置文件属性集。这包括显示名称,名字和姓氏,电子邮件地址,打开的扩展名和照片。还允许该应用程序以读取已登录用户的完整个人资料。”
如何为所有用户提供基本个人资料?
var accessToken = authContext
.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret))
.Result
.AccessToken;
var graphserviceClient = new GraphServiceClient(
new DelegateAuthenticationProvider(requestMessage => {
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.FromResult(0);
}));
能否请您确认我的“ Authority” URL是否正确?
string authority = "https://login.microsoftonline.com/{tenantId}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.Read%20User.ReadWrite%20User.ReadBasic.All";
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext
.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret))
.Result
.AccessToken;
答案 0 :(得分:2)
您可以使用适当的Bearer令牌访问Graph API users/<email_id>
端点(https://graph.microsoft.com/v1.0/users/<email_id_of_the_user>
),以获取其他用户的基本详细信息。
您也可以在“图形资源管理器”中尝试-https://developer.microsoft.com/en-us/graph/graph-explorer#
答案 1 :(得分:1)
在这里,您实际上是从缓存中获取令牌(使用AcquireTokenSilentAsync
),而当您使用对{{1的调用)来赎回ASP.NET生成的授权代码时,您的令牌确实已添加到缓存中}}。您可以在ADAL.NET概念性文档中找到说明:Acquiring a token by authorization code in Web Apps
请注意,要调用该图,您可能希望使用MSAL.NET。例如,请参见示例signInAndCallMicrosoftGraph的以下分支aspnetcore-webapp-openidconnect-v2。这表示为教程,首先说明了登录阶段,然后调用了API(在本例中为Microsoft Graph)
最后,您所使用的权限不是Azure AD B2C的权限(正如我在对问题的评论中提到的那样,对于Azure AD,应将其简化为AcquireTokenByAuthorizationCodeAsync
)
答案 2 :(得分:0)
无论使用User.ReadBasic.All
还是User.Read.All
都一样:`
await graphServiceClient
.Users
.Request()
.GetAsync();
两者之间的唯一区别将在结果集中。使用User.ReadBasic.All
无法访问的属性将不会在结果中返回。
答案 3 :(得分:0)
我找到了解决方案并获得了用户对我组织的基本了解。 解决方案:使用AcquireTokenSilentAsync方法获取访问令牌。 More Details
options.Scope.Add("User.ReadBasic.All");
options.ResponseType = "code id_token";
OnAuthorizationCodeReceived = async ctx =>
{
var request = ctx.HttpContext.Request;
var currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);
var credential = new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);
var distributedCache = ctx.HttpContext.RequestServices.GetRequiredService<IDistributedCache>();
string userId = ctx.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
var cache = new DistributedTokenCache(distributedCache, userId);
var authContext = new AuthenticationContext(ctx.Options.Authority, cache);
var result = await authContext.AcquireTokenByAuthorizationCodeAsync(
ctx.ProtocolMessage.Code,
new Uri(currentUri),
credential,
ctx.Options.Resource);
ctx.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
services.AddDistributedMemoryCache();
private async Task<string> GetAccessTokenAsync()
{
string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token";
string tenantId = User.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
authority = String.Format(authority, tenantId);
string userId = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
var cache = new DistributedTokenCache(_memoryCache, userId);
var authContext = new AuthenticationContext(authority, cache);
string graphResourceId = "https://graph.microsoft.com";
string clientId = "XXX-XXX-XXX-XXX";
string secret = "XXXX";
var credential = new ClientCredential(clientId, secret);
var result = await authContext.AcquireTokenSilentAsync(graphResourceId, credential, new UserIdentifier(userId, UserIdentifierType.UniqueId));
return result.AccessToken;
}