Microsoft Identity Web:Azure AD 客户端凭据流与基于证书的身份验证
[英]Microsoft Identity Web : Azure AD Client Credential flow with Certificate Based Authentication
问题描述
I am connecting to Graph API with Microsoft Identity Web (MSAL) library.
我正在使用 Microsoft Identity Web (MSAL) 库连接到 Graph API。 [https://github.com/AzureAD/microsoft-identity-web][1] [https://github.com/AzureAD/microsoft-identity-web][1]
For this I am using client credentials flow with certificate based authentication.为此,我将客户端凭据流与基于证书的身份验证一起使用。
My configurations are below我的配置如下
Service Registration服务注册
services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
appSettings.json appSettings.json
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain.onmicrosoft.com",
"TenantId": "xxxxxxx",
"ClientId": "yyyyyyyy",
"ClientCertificates": [
{
"SourceType": "Path",
"CertificateDiskPath": "c:\\cert\\my-cert.pfx",
"CertificatePassword": "password"
}
] }
For this I am getting the below error为此,我收到以下错误
IDW10104: Both client secret and client certificate cannot be null or whitespace, and only ONE must be included in the configuration of the web app when calling a web API.
However I am able to accrue token and connect with Graph API using Microsoft.Identity.Client (Using client credentials-flow with certificate based auth)但是,我能够使用Microsoft.Identity.Client累积令牌并与 Graph API 连接(使用客户端凭据流和基于证书的身份验证)
private GraphServiceClient GetGraphServiceClient()
{
var token = GetToken();
GraphServiceClient graphServiceClient =
new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) =>
{
// Add the access token in the Authorization header of the API request.
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", token);
})
);
return graphServiceClient;
}
private string GetToken()
{
var x509Certificate2 =
new X509Certificate2(System.IO.File.ReadAllBytes("MyCert.pfx"), "password");
IConfidentialClientApplication app =
Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.Create("my-client-id")
.WithTenantId("my-tenent-id")
.WithCertificate(x509Certificate2)
.Build();
// With client credentials flows the scopes is ALWAYS of the shape "resource/.default", as the
// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
// a tenant administrator
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
AuthenticationResult result =
app.AcquireTokenForClient(scopes)
.ExecuteAsync().Result;
return result.AccessToken;
}
Am I missing any configuration here?我在这里缺少任何配置吗?
1 个解决方案
解决方案1
0 2021-12-24 10:41:48
On workaround关于解决方法
Try with the adding the certificate in the Azure App registration尝试在 Azure App 注册中添加证书
1) Go to the Azure portal . 1) Go 到Azure 门户。 In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations .在左侧导航窗格中,select Azure Active Directory 服务,然后是 select应用程序注册。
2) In the resultant screen, select the Select the your application . 2)在结果屏幕中,select Select 您的应用程序。
3) In the Certificates & secrets tab, go to Certificates section: 3)在证书和机密选项卡中,go 到证书部分:
4) Select Upload certificate and, in select the browse button on the right to select the your existing certificate. 4) Select上传证书,在select右边的浏览按钮select你现有的证书。
5) Select Add . 5) Select添加。
For more details refer this document: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README-use-certificate.md有关更多详细信息,请参阅此文档: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README -使用证书.md
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.