如何使用B2C当前登录的用户凭据访问Microsoft Graph API
问题描述:
我有一个Azure Active Directory B2C,其中定义了策略并在B2C刀片中注册了一个应用程序。我可以在我的.NET Web应用程序中使用OWIN管道将用户签入应用程序。但是,该用户似乎无法通过从AAD B2C发回的JWT访问Graph API。如何使用B2C当前登录的用户凭据访问Microsoft Graph API
第一个问题似乎是可用的范围。在我OWIN安装在我的应用程序Startup.Auth.cs,我有这样的代码:
private static string clientId = ConfigurationManager.AppSettings["ida:AppId"];
private static string clientSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AadInstance"];
private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static string graphScopes = ConfigurationManager.AppSettings["ida:GraphScopes"];
// B2C policy identifiers
public static string SignUpPolicyId = ConfigurationManager.AppSettings["ida:SignUpPolicyId"];
public static string SignInPolicyId = ConfigurationManager.AppSettings["ida:SignInPolicyId"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
// Configure OpenID Connect middleware for each policy
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignUpPolicyId));
//app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ProfilePolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignInPolicyId));
}
在这个文件后来,我有这样的:
private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy)
{
return new OpenIdConnectAuthenticationOptions
{
// For each policy, give OWIN the policy-specific metadata address, and
// set the authentication type to the id of the policy
MetadataAddress = String.Format(aadInstance, tenant, policy),
AuthenticationType = policy,
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
},
Scope = "openid profile offline_access",
ResponseType = "id_token",
// This piece is optional - it is used for displaying the user's name in the navigation bar.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
SaveSigninToken = true,
},
};
}
我在哪里设置的范围,我尝试使用here的范围之一以便稍后访问该图。这给了我一个无效的请求错误。
答
不幸的是,Microsoft Graph不支持由AAD B2C发布的令牌。这是我们希望随着时间的推移修复的问题。与此同时,您需要从常规AAD STS(从v1或v2端点)获取令牌。请参阅https://graph.microsoft.io/en-us/docs/authorization/auth_overview
希望这会有所帮助,