如何为中层API生成一个代价的代币
我正在尝试实现 behalf-of 流程,使用Microsoft Identity平台,我的Web应用程序可以对用户进行身份验证,然后向我的Web API提出请求,从而向Microsoft Graph API提出请求(并将结果返回到Web应用程序)。
我的问题是,我需要将代币的代价传递给我的Web API,以便将其授予Microsoft Graph,但我无法设法生成该令牌。 (目前我正在尝试使用Postman生成这个令牌。)
我希望运行的是官方文档提供的代码段在这里对于Microsoft Graph SDK(在OBO-FLOW的情况下),我需要帮助的是如何为obotoken变量生成令牌。
using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Identity.Client;
var scopes = new[] { "User.Read", "Presence.Read.All" };
var tenantId = "common";
var clientId = "<id of my API as registered in Azure AD / App Registrations>";
var clientSecret = "<value from Client Secret in Registerd Application / Certificates & secrets";
var options = new TokenCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};
var oboToken = "< WHAT NEEDS TO BE PROVIDED BY THE WEB APP >";
var cca = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.WithClientSecret(clientSecret)
.Build();
var authProvider = new DelegateAuthenticationProvider(async (request) => {
var assertion = new UserAssertion(oboToken);
var result = await cca.AcquireTokenOnBehalfOf(scopes, assertion).ExecuteAsync();
request.Headers.Authorization =
new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", result.AccessToken);
});
var graphClient = new GraphServiceClient(authProvider);
Console.WriteLine(graphClient.Me.Request().GetAsync().Result);
我已经尝试了以下操作:我在浏览器中生成了一个带有以下请求的授权代码
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=< Id of my API >
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp
&response_mode=query
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
,将以下发布请求作为<
https://login.microsoftonline.com/common/oauth2/v2.0/token?
client_id=< Id of my API >
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp
&grant_type=authorization_code
&code=< code returned by request above >
,然后使用返回的代码,在我使用响应中的返回令牌作为<响应中的返回令牌时 代码> obotoken 在代码段中,我得到了一个
msalserviceException:AADSTS50027:JWT令牌无效或畸形。
如果我还将client_secret参数中的参数包括在上面的“令牌”请求中,则我将获得响应 aadsts90023:公共客户端无法发送客户端秘密。
我如何生成一个代价的代币以运行提供的代码段?
提前致谢!
I'm trying to implement an on-behalf-of flow, with Microsoft Identity Platform where my Web app authenticates users, then makes a request to my Web API which in turn makes a request to the Microsoft Graph API (and returns the result to the Web app).
My problem is that I will need to pass on an on-behalf-of token to my Web API for it to be granted acces to Microsoft Graph, but I cannot manage to generate this token. (I'm trying to generate this token using Postman at the moment.)
What I want to be able to run is a code snippet provided by the official documentation here for the Microsoft Graph SDK (in the case of an OBO-flow), and what I need help with is how to generate the token for the oboToken variable.
using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Identity.Client;
var scopes = new[] { "User.Read", "Presence.Read.All" };
var tenantId = "common";
var clientId = "<id of my API as registered in Azure AD / App Registrations>";
var clientSecret = "<value from Client Secret in Registerd Application / Certificates & secrets";
var options = new TokenCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};
var oboToken = "< WHAT NEEDS TO BE PROVIDED BY THE WEB APP >";
var cca = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.WithClientSecret(clientSecret)
.Build();
var authProvider = new DelegateAuthenticationProvider(async (request) => {
var assertion = new UserAssertion(oboToken);
var result = await cca.AcquireTokenOnBehalfOf(scopes, assertion).ExecuteAsync();
request.Headers.Authorization =
new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", result.AccessToken);
});
var graphClient = new GraphServiceClient(authProvider);
Console.WriteLine(graphClient.Me.Request().GetAsync().Result);
I've tried the following: I generate an authorization code with the following request in my browser
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=< Id of my API >
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp
&response_mode=query
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
Then, with the returned code, make the following POST request (from Postman)
https://login.microsoftonline.com/common/oauth2/v2.0/token?
client_id=< Id of my API >
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp
&grant_type=authorization_code
&code=< code returned by request above >
When I use the returned token from the response as the value of the oboToken in the code snippet, I get a
MsalServiceException: AADSTS50027: JWT token is invalid or malformed.
If I instead also include a client_secret parameter in the POST request above for a token, I get the response AADSTS90023: Public clients can't send a client secret.
How could I generate an on-behalf-of token to be able to run the provided code snippet?
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在我看来,您的错误是通过授权代码流获得MS Graph API令牌。
它的工作方式是:
因此,当您的Web应用程序获取访问令牌时,它应该使用API应用程序注册中定义的范围,而不是
范围= https%3A%2F%2F%2fgraph.microsoft.com%2F.def.default。如果指定MS图API范围,则获得MS Graph API的访问令牌,这意味着您正在尝试从Web应用程序调用MS Graph API,而不是API。
It seems to me that your mistake is getting an MS Graph API token with the authorization code flow.
The way it should work is:
So when your Web App gets an access token, it should use a scope defined in the API app registration instead of
scope=https%3A%2F%2Fgraph.microsoft.com%2F.default.If you specify an MS Graph API scope, you get an access token for MS Graph API, meaning you are trying to call MS Graph API from the Web App, instead of your API.