Query the AAD Graph API as a specific user
Question
- I have a webapi which is being called on behalf of a user by a service.
- I have the users Id, but not their auth token.
My objective to to check if this user belongs to a specified group.
- I have an application, and can auth against the graph, buy my claims are limited by my organization so I cannot query the Users.
- I created a service account which should have access to the graph API.
- I am working off this example: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/blob/master/GraphConsoleAppV3/AuthenticationHelper.cs
I am trying to connect to the graph with the service account, but I'm not sure how. I've tried looking at UserPasswordCredential but AcquireTokenAsync doesn't take that as an argument but it does take a UserAssertion I'm having trouble finding documentation on proper construction of that object.
Any help would be appreciated.
1 answers
solution1
2 ACCPTED 2016-11-15 02:13:32
If you were developing with .Net Framework, the AcquireTokenAsync do provide the methed using the UserPasswordCredential .
Here is the code sample for your reference:
AuthenticationContext authenticationContext = new AuthenticationContext(UserModeConstants.AuthString, false);
string resrouce = "";
string clientId = "";
string userName = "";
string password = "";
UserPasswordCredential userPasswordCredential = new UserPasswordCredential(userName, password);
var token= authenticationContext.AcquireTokenAsync(resrouce, clientId, userPasswordCredential).Result.AccessToken;
I am using the version 3.13.5.907 Microsoft.IdentityModel.Clients.ActiveDirectory. And this method only work for the native client application you register on Azure AD since it doesn't provide the credential. If you want it work for the web application/web API, you can make a HTTP request directly like below:
POST: https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
resource={resource}&client_id={clientId}&grant_type=password&username={userName}&password={password}&scope=openid&client_secret={clientSecret}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.