无法使用 ASP.NET Core Web API 的代表流调用 Graph API

问题描述 投票:0回答:1

我正在尝试在 ASP.NET Core Web API (.NET 5) 中实现代表用户。我从移动应用程序收到一个 access_token,将其发送到我的 Web API。 Web API 使用此令牌调用 Graph API 以获取用户的个人资料详细信息。

Startup.cs 文件

 services.AddAuthentication("JwtBearer")
                        .AddJwtBearer("JwtBearer", options =>
                        {
                            options.MetadataAddress = $"https://login.microsoftonline.com/{Configuration["b2bAzureAppIdentity:TenantId"]}/v2.0/.well-known/openid-configuration";
                            options.TokenValidationParameters = new TokenValidationParameters()
                            {
                                ValidIssuer = $"https://sts.windows.net/{Configuration["b2bAzureAppIdentity:TenantId"]}/",

                                // as audience, both the client id and the identifierUri are allowed (sematically equivalent)
                                ValidAudiences = new[] { Configuration["b2bAzureAppIdentity:AppIdUri"], Configuration["b2bAzureAppIdentity:ClientId"] }
                            };
                        }).AddMicrosoftIdentityWebApi(Configuration, "b2bAzureAppIdentity")
                        .EnableTokenAcquisitionToCallDownstreamApi()
                        .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
                        .AddInMemoryTokenCaches();

控制器.cs

 [HttpGet("GetMyDetails")]
    [AuthorizeForScopes(Scopes = new string[] { "user.read" })]
    public async Task<IActionResult> GetMyDetails()
    {
        var user = await _graphServiceClient.Me.Request().GetAsync();
        return new OkObjectResult(user.Photo);
    }

应用程序设置采用以下格式

 "b2bAzureAppIdentity": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "",
"TenantId": "",
"ClientId": "",
"ClientSecret": "",
"AppIdUri": ""},
 "DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "user.read"},

在 Azure 中,API 权限和范围设置正确,这一点很明显,因为当我从邮递员进行调用时,我能够获取 on_behalf_of 的访问令牌,并通过调用 https:/ 使用它来获取用户的个人资料详细信息/graph.microsoft.com/v1.0/me

在控制器中的这一行

var user = await _graphServiceClient.Me.Request().GetAsync();

我收到错误:“没有帐户或登录提示传递到 AcquireTokenSilent 调用。”

我在 google 上搜索了此错误,解决方案显示用户应该同意该范围,但 Azure 门户中的管理员已经同意了。此外,这在 Postman 中起作用的事实使我们相信 APP 和 API 的配置是正确的。

enter image description here

有人遇到过类似的问题吗?

c# asp.net-core microsoft-graph-api asp.net-core-webapi azure-ad-msal
1个回答
1
投票

发生这种情况是因为收到的 access_token 没有与获取用户详细信息的请求一起发送。以下是如何实现代表提供商的示例:

// Create a client application.
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create(clientId)
                .WithTenantId(tenantID)
                // The Authority is a required parameter when your application is configured 
                // to accept authentications only from the tenant where it is registered.
                .WithAuthority(authority)
                .WithClientSecret(clientSecret)
                .Build();
                
// Use the API reference to determine which scopes are appropriate for your API request.
// e.g. - https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
var scopes = new string[] { "User.Read" };
// Create an authentication provider.
ClientCredentialProvider authenticationProvider = new OnBehalfOfProvider(confidentialClientApplication, scopes);

var jsonWebToken = actionContext.Request.Headers.Authorization.Parameter;
var userAssertion = new UserAssertion(jsonWebToken);
// Configure GraphServiceClient with provider.
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);
// Make a request
var me = await graphServiceClient.Me.Request().WithUserAssertion(userAssertion).GetAsync();

在这种情况下,令牌将添加到调用 

WithUserAssertion
的请求中。

如果这有帮助,以及您还有其他问题,请告诉我。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.