I am trying to access the Microsoft Graph API to obtain a user's outlook groups.
Here is the code to retrieve the access token:
public static async Task<string> GetGraphAccessTokenAsync()
{
string AzureAdGraphResourceURL = "https://graph.microsoft.com/";
string signedInUserUniqueName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
var userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
var clientCredential = new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey);
var userIdentifier = new UserIdentifier(userObjectId, UserIdentifierType.UniqueId);
AuthenticationContext authContext = new AuthenticationContext(
SettingsHelper.Authority, new ADALTokenCache(signedInUserUniqueName));
var result = await authContext.AcquireTokenSilentAsync(AzureAdGraphResourceURL, clientCredential, userIdentifier);
return result.AccessToken;
}
The method uses a settings helper as follows:
public class SettingsHelper
{
private static string _clientId = ConfigurationManager.AppSettings["ida:ClientID"];
private static string _appKey = ConfigurationManager.AppSettings["ida:Password"];
private static string _tenantId = ConfigurationManager.AppSettings["ida:TenantID"];
private static string _authorizationUri = "https://login.windows.net";
private static string _authority = "https://login.windows.net/{0}/";
private static string _graphResourceId = "https://graph.windows.net";
public static string ClientId
{
get
{
return _clientId;
}
}
public static string AppKey
{
get
{
return _appKey;
}
}
public static string TenantId
{
get
{
return _tenantId;
}
}
public static string AuthorizationUri
{
get
{
return _authorizationUri;
}
}
public static string Authority
{
get
{
return String.Format(_authority, _tenantId);
}
}
public static string AADGraphResourceId
{
get
{
return _graphResourceId;
}
}
}
This is the error that I get: Failed to acquire token silently. Call method AcquireToken
Exception Details:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException : Failed to acquire token silently. Call method AcquireToken
The error occurs specifically at this line:
var result = await authContext.AcquireTokenSilentAsync(AzureAdGraphResourceURL, clientCredential, userIdentifier);
I have checked to ensure that the UserIdentifier matches the value in the cache, but it stills seems to reject the token. Any ideas of where I might be going wrong?
Firs of all, make sure to use the Microsoft graph endpoint (actually you used the Active directory endpoint)
private static readonly string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static readonly string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
private static readonly string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static readonly string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
private static readonly string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
private static readonly string graphResourceId = "https://graph.microsoft.com";
private static readonly Uri graphEndpointId = new Uri("https://graph.microsoft.com/v1.0/");
Before making a Silent call, you have to make a classic call by retrieving a code. I assume you're in an MVC application. Here is my Startup.Auth.cs code :
public void ConfigureAuth(IAppBuilder app)
{
ApplicationDbContext db = new ApplicationDbContext();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = AuthenticationHelper.ClientId,
Authority = AuthenticationHelper.AadInstance + AuthenticationHelper.TenantId,
PostLogoutRedirectUri = AuthenticationHelper.PostLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
AuthorizationCodeReceived =async (context) =>
{
var code = context.Code;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
try
{
var result = await AuthenticationHelper.GetAccessTokenByCodeAsync(signedInUserID, code);
}
catch (Exception ex)
{
Debug.WriteLine(ex.Message);
//throw;
}
}
}
});
}
Here is the code I used in my AuthenticationHelper class :
public async static Task<AuthenticationResult> GetAccessTokenByCodeAsync(string signedInUserID, string code)
{
ClientCredential credential = new ClientCredential(clientId, appKey);
AuthenticationContext authContext = new AuthenticationContext(AadInstance + TenantId, new ADALTokenCache(signedInUserID));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
return result;
}
and Then, each time I need to make a request to the graph, here is the code I used to get a token :
public async static Task<string> GetTokenForApplicationAsync()
{
string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// get a token for the Graph without triggering any user interaction (from the cache, via multi-resource refresh token, etc)
ClientCredential clientcred = new ClientCredential(clientId, appKey);
// initialize AuthenticationContext with the token cache of the currently signed in user, as kept in the app's database
AuthenticationContext authenticationContext = new AuthenticationContext(AadInstance + TenantId, new ADALTokenCache(signedInUserID));
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenSilentAsync(GraphResourceId, clientcred, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
return authenticationResult.AccessToken;
}
An other thhings to notice : Make sure your tenantId is the guid of your tenant. For some reason, sometimes, if you use your tenant name, adal make a difference and could raise this kind of error.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.