缺少客户端密钥或客户端证书

时间:2021-03-29 21:27:54

标签: asp.net-core azure-active-directory azure-ad-graph-api

MsalClientException:IDW10104:客户端密钥和客户端证书不能为空或空格,并且在调用 Web API 时,Web 应用程序的配置中只能包含一个。例如,在 appsettings.json 文件中。

Microsoft.Identity.Web.MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(string clientSecret, IEnumerable<CertificateDescription> cert)
Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplicationAsync()
Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplicationAsync()
Microsoft.Identity.Web.TokenAcquisition.AddAccountToCacheFromAuthorizationCodeAsync(AuthorizationCodeReceivedContext context, IEnumerable<string> scopes)
Microsoft.Identity.Web.MicrosoftIdentityWebAppAuthenticationBuilder+<>c__DisplayClass11_1+<<WebAppCallsWebApiImplementation>b__1>d.MoveNext()
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RunAuthorizationCodeReceivedEventAsync(OpenIdConnectMessage authorizationResponse, ClaimsPrincipal user, AuthenticationProperties properties, JwtSecurityToken jwt)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

这是在通过 Azure AD 成功登录后发生的。我也传入了客户端密码(通过用户密码和 appSettings)。对于源代码参考,我使用以下示例项目:

https://github.com/damienbod/AspNetCoreUsingGraphApi

1 个答案:

答案 0 :(得分:1)

如果想在web app中调用AzureAD投射的web api,请参考以下步骤

  1. appsettings.json
{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "[Client_id-of-web-app-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
    "TenantId": "common"

   // To call an API
   "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",

 },
 "MyApi": {
    "BaseUrl": "https://graph.microsoft.com/beta",
    "Scopes": "user.read"
    }
}
  1. startup.cs
using Microsoft.Identity.Web;

public class Startup
{
  // ...
  public void ConfigureServices(IServiceCollection services)
  {
  // ...
  services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
          .AddMicrosoftIdentityWebApp(Configuration, "AzureAd")
            .EnableTokenAcquisitionToCallDownstreamApi(new string[]{"" })
               .AddDownstreamWebApi("MyApi", Configuration.GetSection("MyApi"))
            .AddInMemoryTokenCaches();
   // ...
  }
  // ...
}
  1. 调用api
[Authorize]
public class HomeController : Controller
{
 readonly ITokenAcquisition tokenAcquisition;

 public HomeController(ITokenAcquisition tokenAcquisition)
 {
  this.tokenAcquisition = tokenAcquisition;
 }

 [AuthorizeForScopes(Scopes = new[] { "user.read" })]
public async Task<IActionResult> Profile()
{
 // Acquire the access token.
 string[] scopes = new string[]{"user.read"};
 string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

 // Use the access token to call a protected web API.
 HttpClient client = new HttpClient();
 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
 string json = await client.GetStringAsync(url);
}

}

有关详细信息,请参阅here

相关问题
最新问题