[英]Microsoft Identity Web : Azure AD Client Credential flow with Certificate Based Authentication
I am connecting to Graph API with Microsoft Identity Web (MSAL) library.我正在使用 Microsoft Identity Web (MSAL) 库连接到 Graph API。 [https://github.com/AzureAD/microsoft-identity-web][1]
[https://github.com/AzureAD/microsoft-identity-web][1]
For this I am using client credentials flow with certificate based authentication.为此,我将客户端凭据流与基于证书的身份验证一起使用。
My configurations are below我的配置如下
Service Registration服务注册
services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
appSettings.json appSettings.json
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain.onmicrosoft.com",
"TenantId": "xxxxxxx",
"ClientId": "yyyyyyyy",
"ClientCertificates": [
{
"SourceType": "Path",
"CertificateDiskPath": "c:\\cert\\my-cert.pfx",
"CertificatePassword": "password"
}
] }
For this I am getting the below error为此,我收到以下错误
IDW10104: Both client secret and client certificate cannot be null or whitespace, and only ONE must be included in the configuration of the web app when calling a web API.
IDW10104: Both client secret and client certificate cannot be null or whitespace, and only ONE must be included in the configuration of the web app when calling a web API. For instance, in the appsettings.json file.
例如,在 appsettings.json 文件中。
However I am able to accrue token and connect with Graph API using Microsoft.Identity.Client (Using client credentials-flow with certificate based auth)但是,我能够使用Microsoft.Identity.Client累积令牌并与 Graph API 连接(使用客户端凭据流和基于证书的身份验证)
private GraphServiceClient GetGraphServiceClient()
{
var token = GetToken();
GraphServiceClient graphServiceClient =
new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) =>
{
// Add the access token in the Authorization header of the API request.
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", token);
})
);
return graphServiceClient;
}
private string GetToken()
{
var x509Certificate2 =
new X509Certificate2(System.IO.File.ReadAllBytes("MyCert.pfx"), "password");
IConfidentialClientApplication app =
Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.Create("my-client-id")
.WithTenantId("my-tenent-id")
.WithCertificate(x509Certificate2)
.Build();
// With client credentials flows the scopes is ALWAYS of the shape "resource/.default", as the
// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
// a tenant administrator
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
AuthenticationResult result =
app.AcquireTokenForClient(scopes)
.ExecuteAsync().Result;
return result.AccessToken;
}
Am I missing any configuration here?我在这里缺少任何配置吗?
On workaround关于解决方法
Try with the adding the certificate in the Azure App registration尝试在 Azure App 注册中添加证书
1) Go to the Azure portal . 1) Go 到Azure 门户。 In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations .
在左侧导航窗格中,select Azure Active Directory 服务,然后是 select应用程序注册。
2) In the resultant screen, select the Select the your application . 2)在结果屏幕中,select Select 您的应用程序。
3) In the Certificates & secrets tab, go to Certificates section: 3)在证书和机密选项卡中,go 到证书部分:
4) Select Upload certificate and, in select the browse button on the right to select the your existing certificate. 4) Select上传证书,在select右边的浏览按钮select你现有的证书。
5) Select Add . 5) Select添加。
For more details refer this document: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README-use-certificate.md有关更多详细信息,请参阅此文档: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README -使用证书.md
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.