使用文件上的 cer 或 pfx 从 Microsoft Graph 端点获取身份验证令牌
[英]Getting auth token from Microsoft Graph endpoint using cer or pfx on file
问题描述
I'm trying to get an Authentication token from Graph Endpoint using a cer/pfx certificate that I have created using self signed.
我正在尝试使用我使用自签名创建的 cer/pfx 证书从 Graph Endpoint 获取身份验证令牌。 I have placed the certificate on the file system.我已将证书放在文件系统上。 Here is the code I'm using:这是我正在使用的代码:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Security.Cryptography.X509Certificates;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
namespace DAL_HTTP
{
public class MSGraphAuth
{
public string _tenantId;
public string _clientId;
public string _certificateThumbprint;
public string _debugCertificatePath;
public string _debugCertificatePassword;
public MSGraphAuth()
{
string TenantName = "testtenant.onmicrosoft.com";
string TenantId = "<tenantid>";
string ClientID = "<appid>";
string AuthenticationContextURL = "https://login.microsoftonline.com/testtenant.onmicrosoft.com";
string AcquireTokenURL = "https://graph.microsoft.com";
string ClientKey = "*********";
string certificateFilePath = @"D:\folder\test.onmicrosoft.com.pfx";
string certificatePassword = "*******";
_tenantId = TenantId;
_clientId = ClientID;
_certificateThumbprint = GetCertificateThumprint(certificateFilePath, certificatePassword);
_debugCertificatePath = certificateFilePath;
_debugCertificatePassword = certificatePassword;
}
public string GetCertificateThumprint(string certificateFilePath, string certPassword)
{
X509Certificate2 cert = new X509Certificate2(certificateFilePath, certPassword);
return cert.Thumbprint;
}
public async Task<string> GetAccessTokenAsync(string url)
{
url = GetTenantUrl(url);
var authContext = new AuthenticationContext($"https://login.microsoftonline.com/{_tenantId}/oauth2/token"); // you can also use the v2.0 endpoint URL
return (await authContext.AcquireTokenAsync(url, GetCertificate(_clientId, _certificateThumbprint))).AccessToken;
}
public static string GetTenantUrl(string url)
{
const string suffix = "sharepoint.com";
var index = url.IndexOf(suffix, StringComparison.OrdinalIgnoreCase);
return index != -1 ? url.Substring(0, index + suffix.Length) : url;
}
public ClientAssertionCertificate GetCertificate(string clientId, string thumbprint)
{
var certificate = GetCertificateFromDirectory(_debugCertificatePath, _debugCertificatePassword);
return new ClientAssertionCertificate(clientId, certificate);
}
public static X509Certificate2 GetCertificateFromDirectory(string path, string password)
{
return new X509Certificate2(System.IO.Path.GetFullPath(path), password, X509KeyStorageFlags.DefaultKeySet);
}
private static X509Certificate2 GetCertificateFromStore(string thumbprint)
{
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
store.Close();
return certificates[0];
}
}
}
However, I get an error on this line:但是,我在这一行得到一个错误:
return (await authContext.AcquireTokenAsync(url, GetCertificate(_clientId, _certificateThumbprint))).AccessToken;
The error message reads:错误消息如下:
An unhandled exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' occurred in mscorlib.dll
Additional information: AADSTS90002: Tenant 'token' not found.
Trace ID: c9d3eac6-77e0-4f56-8c96-ac924ff90700
Correlation ID: e90027e1-cbcb-4291-9630-984c5c23757d
Timestamp: 2020-08-14 17:11:34Z
I've been following these two articles, still I cant get it to work.:我一直在关注这两篇文章,但仍然无法正常工作。:
https://laurakokkarinen.com/authenticating-to-office-365-apis-with-a-certificate-step-by-step/comment-page-2/#comment-697 https://laurakokkarinen.com/authenticating-to-office-365-apis-with-a-certificate-step-by-step/comment-page-2/#comment-697
How to use Microsoft Graph API with Certificates (INTUNE) 如何使用带有证书的 Microsoft Graph API (INTUNE)
What am I doing wrong?我究竟做错了什么? Please help.请帮忙。
1 个解决方案
解决方案1
0 2020-08-17 07:17:24
It seems that you didn't get the token that you want, try this official sample with certificates.看来你没有得到你想要的令牌,试试这个带证书的官方样本。
It uses the client credentials flow to acquire an access token, which can be used to call the Microsoft Graph and access organizational data.它使用客户端凭据流来获取访问令牌,该令牌可用于调用 Microsoft Graph 并访问组织数据。 The sample uses both certificates and client secret, you could just use certificates.该示例同时使用证书和客户端密码,您可以只使用证书。
private static async Task RunAsync()
{
AuthenticationConfig config = AuthenticationConfig.ReadFromJsonFile("appsettings.json");
// Even if this is a console application here, a daemon application is a confidential client application
IConfidentialClientApplication app;
X509Certificate2 certificate = ReadCertificate(config.CertificateName);
app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
.WithCertificate(certificate)
.WithAuthority(new Uri(config.Authority))
.Build();
// With client credentials flows the scopes is ALWAYS of the shape "resource/.default", as the
// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
// a tenant administrator.
string[] scopes = new string[] { $"{config.ApiUrl}.default" };
AuthenticationResult result = null;
try
{
result = await app.AcquireTokenForClient(scopes)
.ExecuteAsync();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Token acquired");
Console.ResetColor();
}
catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
{
// Invalid scope. The scope has to be of the form "https://resourceurl/.default"
// Mitigation: change the scope to be as expected
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Scope provided is not supported");
Console.ResetColor();
}
if (result != null)
{
var httpClient = new HttpClient();
var apiCaller = new ProtectedApiCallHelper(httpClient);
await apiCaller.CallWebApiAndProcessResultASync($"{config.ApiUrl}v1.0/users", result.AccessToken, Display);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.