堆栈内存溢出
  简体   繁体   English

Azure AD和OAUTH资源

[英]Azure AD and OAUTH resources

 原文  2018-12-03 15:37:19       asp.net-core/ oauth-2.0/ azure-active-directory

问题描述

I am writing a web application that needs to access both PowerBI and Microsoft Graph. 我正在编写一个需要同时访问PowerBI和Microsoft Graph的Web应用程序。 I am new with OAUTH so I am not understanding how to request access to two different resources. 我是OAUTH的新手,所以我不了解如何请求访问两个不同的资源。 This is my code to access one (PowerBI) resource. 这是我访问一个(PowerBI)资源的代码。 How do I modify it to also get access to Microsoft Graph? 如何修改它以同时访问Microsoft Graph? 

class ConfigureAzureOptions : IConfigureNamedOptions<OpenIdConnectOptions>
{
    private readonly PowerBiOptions _powerBiOptions;
    private readonly IDistributedCache _distributedCache;
    private readonly AzureADOptions _azureOptions;

    public ConfigureAzureOptions(IOptions<AzureADOptions> azureOptions, IOptions<PowerBiOptions> powerBiOptions, IDistributedCache distributedCache)
    {
        _azureOptions = azureOptions.Value;
        _powerBiOptions = powerBiOptions.Value;
        _distributedCache = distributedCache;
    }

    public void Configure(string name, OpenIdConnectOptions options)
    {
        options.ClientId = _azureOptions.ClientId;
        options.Authority = _azureOptions.Instance + "/" + _azureOptions.TenantId;
        options.UseTokenLifetime = true;
        options.CallbackPath = _azureOptions.CallbackPath;
        options.RequireHttpsMetadata = false;
        options.ClientSecret = _azureOptions.ClientSecret;
        options.Resource = _powerBiOptions.Resource;
        // Without overriding the response type (which by default is id_token), the OnAuthorizationCodeReceived event is not called.
        // but instead OnTokenValidated event is called. Here we request both so that OnTokenValidated is called first which 
        // ensures that context.Principal has a non-null value when OnAuthorizeationCodeReceived is called
        options.ResponseType = "id_token code";

        options.Events.OnAuthorizationCodeReceived = OnAuthorizationCodeReceived;
        options.Events.OnAuthenticationFailed = OnAuthenticationFailed;
    }

    public void Configure(OpenIdConnectOptions options)
    {
        Configure(Options.DefaultName, options);
    }

    private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
    {
        string userObjectId = context.Principal.FindFirst(AccessTokenProvider.Identifier)?.Value;
        var authContext = new AuthenticationContext(context.Options.Authority, new DistributedTokenCache(_distributedCache, userObjectId));
        var credential = new ClientCredential(context.Options.ClientId, context.Options.ClientSecret);

        var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
            new Uri(context.TokenEndpointRequest.RedirectUri, UriKind.RelativeOrAbsolute), credential, context.Options.Resource);

        context.HandleCodeRedemption(authResult.AccessToken, context.ProtocolMessage.IdToken);
    }

    private Task OnAuthenticationFailed(AuthenticationFailedContext context)
    {
        context.HandleResponse();
        context.Response.Redirect("/Home/Error?message=" + context.Exception.Message);
        return Task.FromResult(0);
    }
}

1 个解决方案

解决方案1
 0 已采纳  2018-12-04 06:12:06

You doesn't need to get each access token for different resource at the first sign-in process . 您无需在首次登录过程中就获得针对不同资源的每个访问令牌。

Suppose the first time you are acquiring PowerBI's access token in OnAuthorizationCodeReceived function , in controller , of course you can directly use that access token to call PowerBI's API since token is cached . 假设您是第一次在OnAuthorizationCodeReceived函数中获取PowerBI的访问令牌,则在控制器中,由于令牌已被缓存,因此您当然可以直接使用该访问令牌来调用PowerBI的API。 Now you need to call Microsoft Graph , just try below codes : 现在您需要调用Microsoft Graph,只需尝试以下代码即可: 

string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;

// Using ADAL.Net, get a bearer token to access the TodoListService
AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
result = await authContext.AcquireTokenSilentAsync("https://graph.microsoft.com", credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

Just set the resource parameter of AcquireTokenSilentAsync function ,it will use refresh token to acquire access token for new resource . 只需设置AcquireTokenSilentAsync函数的resource参数,它将使用刷新令牌来获取新资源的访问令牌。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure AD OAuth2 无效令牌 - Azure AD OAuth2 invalid token 使用 Azure AD 成功进行身份验证后,Azure OAuth 身份验证无法重定向 - Azure OAuth authentication failed to redirect after successful authentication with Azure AD oauth2.0 azure AD APIM 存储令牌的位置 - oauth2.0 azure AD APIM where to store the token 使用 Azure AD 和 OAuth2.0 在 Session 空闲超时上实现自动重定向 - Implement Auto Redirect on Session Idle timeout using Azure AD and OAuth2.0 Azure AD Jwt Bearer令牌 - Azure AD Jwt Bearer token 将Piranha CMS与Azure AD集成 - Integrating Piranha CMS with Azure AD Blazor 服务器和 SignalR 和 Azure AD - Blazor Server and SignalR and Azure AD Azure AD 身份验证重定向不到本地主机 - Azure AD Authentication redirect NOT to localhost 使用 Azure AD 登录并获取 UserManager - Log in with Azure AD and get a UserManager Azure AD auth 的 Cookie 未过期 - Cookie not expiring for Azure AD auth
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM