您的位置: 首页  >  技术问答  >  如何使用B2C当前登录的用户凭据访问Microsoft Graph API

如何使用B2C当前登录的用户凭据访问Microsoft Graph API

分类: 技术问答 2022-06-22 16:49:23
问题描述:

我有一个Azure Active Directory B2C,其中定义了策略并在B2C刀片中注册了一个应用程序。我可以在我的.NET Web应用程序中使用OWIN管道将用户签入应用程序。但是,该用户似乎无法通过从AAD B2C发回的JWT访问Graph API。如何使用B2C当前登录的用户凭据访问Microsoft Graph API

第一个问题似乎是可用的范围。在我OWIN安装在我的应用程序Startup.Auth.cs,我有这样的代码:

 private static string clientId = ConfigurationManager.AppSettings["ida:AppId"]; 
    private static string clientSecret = ConfigurationManager.AppSettings["ida:AppSecret"]; 
    private static string aadInstance = ConfigurationManager.AppSettings["ida:AadInstance"]; 
    private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"]; 
    private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"]; 
    private static string graphScopes = ConfigurationManager.AppSettings["ida:GraphScopes"]; 

    // B2C policy identifiers 
    public static string SignUpPolicyId = ConfigurationManager.AppSettings["ida:SignUpPolicyId"]; 
    public static string SignInPolicyId = ConfigurationManager.AppSettings["ida:SignInPolicyId"]; 

    public void ConfigureAuth(IAppBuilder app) 
    { 
     app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); 

     app.UseCookieAuthentication(new CookieAuthenticationOptions()); 

     // Configure OpenID Connect middleware for each policy 
     app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignUpPolicyId)); 
     //app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ProfilePolicyId)); 
     app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignInPolicyId)); 
    }

在这个文件后来,我有这样的:

 private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy) 
    { 
     return new OpenIdConnectAuthenticationOptions 
     { 
      // For each policy, give OWIN the policy-specific metadata address, and 
      // set the authentication type to the id of the policy 
      MetadataAddress = String.Format(aadInstance, tenant, policy), 
      AuthenticationType = policy, 

      // These are standard OpenID Connect parameters, with values pulled from web.config 
      ClientId = clientId, 
      RedirectUri = redirectUri, 
      PostLogoutRedirectUri = redirectUri, 
      Notifications = new OpenIdConnectAuthenticationNotifications 
      { 
       AuthenticationFailed = AuthenticationFailed, 
      }, 
      Scope = "openid profile offline_access", 
      ResponseType = "id_token", 

      // This piece is optional - it is used for displaying the user's name in the navigation bar. 
      TokenValidationParameters = new TokenValidationParameters 
      { 
       NameClaimType = "name", 
       SaveSigninToken = true, 
      }, 
     }; 
    }

我在哪里设置的范围,我尝试使用here的范围之一以便稍后访问该图。这给了我一个无效的请求错误。

不幸的是,Microsoft Graph不支持由AAD B2C发布的令牌。这是我们希望随着时间的推移修复的问题。与此同时,您需要从常规AAD STS(从v1或v2端点)获取令牌。请参阅https://graph.microsoft.io/en-us/docs/authorization/auth_overview

希望这会有所帮助,

相关推荐