无法登录 login.microsoftonline.com oauth 2 授权端点
[英]Unable to sign in to login.microsoftonline.com oauth 2 authorize endpoint
问题描述
I've tried different ways to connect the Microsoft sign in function which open a webpage so you can use things like sign in with MFA.
我尝试了不同的方法来连接微软登录 function 打开一个网页,这样您就可以使用诸如使用 MFA 登录之类的东西。 I manage to get this to work in Postman and now im trying it in C# particularly in .NET MVC 5.我设法让它在 Postman 中工作,现在我在 C# 中尝试它,特别是在 .NET MVC 5 中。
HomeController:家庭控制器:
public ActionResult TestAuth()
{
HttpClient client = new HttpClient();
var bodyParams = new Dictionary<string, string>();
bodyParams.Add("client_id", "{my_client_id}");
bodyParams.Add("client_secret", "{my_client_secret}");
bodyParams.Add("scope", "openid");
bodyParams.Add("redirect_uri", "https://localhost");
bodyParams.Add("grant_type", "authorization_code");
var response = client.PostAsync("https://login.microsoftonline.com/{my_tenant_id}/oauth2/v2.0/authorize", new FormUrlEncodedContent(bodyParams)).Result;
return View("TestAuth", new { response.Content.ReadAsStringAsync().Result });
}
View TestAuth.cshtml:查看 TestAuth.cshtml:
@model dynamic
@Html.Raw(Model)
If i sign in with my email on that domain, or any text at all really, i get this message.如果我在该域上使用我的 email 或任何文本登录,我会收到此消息。 I cannot see why this issue occurs it gives me zero information what to do next more than just trying until you make it basically:).我不明白为什么会出现这个问题,它给了我零信息下一步该做什么,而不仅仅是尝试直到你基本上做到:)。 I've looked at tons of different Microsoft documentations, Stack posts, forums etc but with no success.我查看了大量不同的 Microsoft 文档、Stack 帖子、论坛等,但没有成功。
The postman call example: postman 调用示例:
Is it possible I'm doing something wrong in the request in the c# code or am i missing something important like configurations in Azure AD etc?是否有可能我在 c# 代码中的请求中做错了什么,或者我错过了一些重要的东西,比如 Azure AD 等中的配置?
I'm up for anything that will work that i can sign into a Microsoft account that use MFA, then i can use their login to fetch data from Microsoft Graph based on their permissions basically.我愿意做任何可以登录到使用 MFA 的 Microsoft 帐户的工作,然后我可以使用他们的登录名根据他们的权限从 Microsoft Graph 获取数据。
PS I also can fetch data with the access token generated from postman so it's working as expected. PS 我还可以使用从 postman 生成的访问令牌获取数据,因此它可以按预期工作。 I only need to "convert the postman call to c#" to make it work esentially.我只需要“将 postman 调用转换为 c#”即可使其正常工作。 Any help is appreciated:)任何帮助表示赞赏:)
2 个解决方案
解决方案1
0 2021-03-26 16:58:23
You're trying to do an oauth2 request from the controller.您正在尝试从 controller 发出 oauth2 请求。 The request you're sending is incorrect.您发送的请求不正确。
Microsoft made a great sample on how to use the Microsoft identity platform in a dotnet application https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC Microsoft 就如何在 dotnet 应用程序https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC中使用 Microsoft 标识平台制作了一个很好的示例
In a nutshell you redirect the user to the endpoint (so not a get/post from the controller, but actually a redirect 302 response to the token url).简而言之,您将用户重定向到端点(因此不是来自 controller 的 get/post,而是对令牌 url 的重定向 302 响应)。 The user then has to login and is redirected to the webapplication.然后用户必须登录并被重定向到 web 应用程序。 Your webapplication will get an authorization code that is has to exchange for an access token by a post request.您的 Web 应用程序将获得一个授权码,该授权码必须通过发布请求交换访问令牌。
Postman does this for you, but in order to do it in dotnet core, just follow the sample. Postman 为您执行此操作,但为了在 dotnet core 中执行此操作,只需按照示例操作即可。
解决方案2
0 已采纳 2021-04-01 08:39:52
I didn't find a soultion to this specific problem what i did find was another guide which led me to this github project https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect Which had similar code in the Startup.cs file but actually had some examples like SendMail and ReadMail etc which was fetched from ms graph api.我没有找到解决这个特定问题的方法,但我确实找到了另一个指南,它让我找到了这个 github 项目https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect有类似的代码在 Startup.cs 文件中,但实际上有一些示例,例如 SendMail 和 ReadMail 等,这些示例是从 ms 图 api 中获取的。 This gave me some idea of how this project was structured compared to mine.与我的相比,这让我对这个项目的结构有了一些了解。 So one thing that was missing was this part I couldnt figure out:所以缺少的一件事是这部分我无法弄清楚:
IConfidentialClientApplication app = await MsalAppBuilder.BuildConfidentialClientApplication();
var account = await app.GetAccountAsync(ClaimsPrincipal.Current.GetAccountId());
So the Msal app builder which is a custom made thingy i needed to get the current user etc which i needed.因此,Msal 应用程序构建器是我需要的定制的东西来获取我需要的当前用户等。 This works fine and after that i can start doing requests to the graph api like adding scopes etc and make http request.这工作正常,之后我可以开始对图 api 发出请求,例如添加范围等并发出 http 请求。
Example see groups:示例见组:
[Authorize]
[HttpGet]
public async Task<ActionResult> GetGroups()
{
IConfidentialClientApplication app = await MsalAppBuilder.BuildConfidentialClientApplication();
var account = await app.GetAccountAsync(ClaimsPrincipal.Current.GetAccountId());
string[] scopes = { "GroupMember.Read.All", "Group.Read.All", "Group.ReadWrite.All", "Directory.Read.All", "Directory.AccessAsUser.All", "Directory.ReadWrite.All" };
AuthenticationResult result = null;
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/groups");
try
{
//Get acccess token before sending request
result = await app.AcquireTokenSilent(scopes, account).ExecuteAsync().ConfigureAwait(false);
if (result != null)
{
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
//Request to get groups
HttpResponseMessage response = await client.SendAsync(request);
if (response.IsSuccessStatusCode)
{
ViewBag.Groups= response.Content.ReadAsStringAsync().Result;
return View("MyView");
}
}
}
catch (Exception ex)
{
Response.Write($"Error occured:{System.Environment.NewLine}{ex}");
}
return View();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.