[英]Getting auth token from Microsoft Graph endpoint using cer or pfx on file
我正在尝试使用我使用自签名创建的 cer/pfx 证书从 Graph Endpoint 获取身份验证令牌。 我已将证书放在文件系统上。 这是我正在使用的代码:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Security.Cryptography.X509Certificates;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
namespace DAL_HTTP
{
public class MSGraphAuth
{
public string _tenantId;
public string _clientId;
public string _certificateThumbprint;
public string _debugCertificatePath;
public string _debugCertificatePassword;
public MSGraphAuth()
{
string TenantName = "testtenant.onmicrosoft.com";
string TenantId = "<tenantid>";
string ClientID = "<appid>";
string AuthenticationContextURL = "https://login.microsoftonline.com/testtenant.onmicrosoft.com";
string AcquireTokenURL = "https://graph.microsoft.com";
string ClientKey = "*********";
string certificateFilePath = @"D:\folder\test.onmicrosoft.com.pfx";
string certificatePassword = "*******";
_tenantId = TenantId;
_clientId = ClientID;
_certificateThumbprint = GetCertificateThumprint(certificateFilePath, certificatePassword);
_debugCertificatePath = certificateFilePath;
_debugCertificatePassword = certificatePassword;
}
public string GetCertificateThumprint(string certificateFilePath, string certPassword)
{
X509Certificate2 cert = new X509Certificate2(certificateFilePath, certPassword);
return cert.Thumbprint;
}
public async Task<string> GetAccessTokenAsync(string url)
{
url = GetTenantUrl(url);
var authContext = new AuthenticationContext($"https://login.microsoftonline.com/{_tenantId}/oauth2/token"); // you can also use the v2.0 endpoint URL
return (await authContext.AcquireTokenAsync(url, GetCertificate(_clientId, _certificateThumbprint))).AccessToken;
}
public static string GetTenantUrl(string url)
{
const string suffix = "sharepoint.com";
var index = url.IndexOf(suffix, StringComparison.OrdinalIgnoreCase);
return index != -1 ? url.Substring(0, index + suffix.Length) : url;
}
public ClientAssertionCertificate GetCertificate(string clientId, string thumbprint)
{
var certificate = GetCertificateFromDirectory(_debugCertificatePath, _debugCertificatePassword);
return new ClientAssertionCertificate(clientId, certificate);
}
public static X509Certificate2 GetCertificateFromDirectory(string path, string password)
{
return new X509Certificate2(System.IO.Path.GetFullPath(path), password, X509KeyStorageFlags.DefaultKeySet);
}
private static X509Certificate2 GetCertificateFromStore(string thumbprint)
{
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
store.Close();
return certificates[0];
}
}
}
但是,我在这一行得到一个错误:
return (await authContext.AcquireTokenAsync(url, GetCertificate(_clientId, _certificateThumbprint))).AccessToken;
错误消息如下:
mscorlib.dll 中发生了“Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException”类型的未处理异常
附加信息:AADSTS90002:未找到租户“令牌”。 如果租户没有活动订阅,则可能会发生这种情况。 检查以确保您拥有正确的租户 ID。 请咨询您的订阅管理员。
跟踪 ID:c9d3eac6-77e0-4f56-8c96-ac924ff90700
相关 ID:e90027e1-cbcb-4291-9630-984c5c23757d
时间戳:2020-08-14 17:11:34Z
我一直在关注这两篇文章,但仍然无法正常工作。:
如何使用带有证书的 Microsoft Graph API (INTUNE)
我究竟做错了什么? 请帮忙。
看来你没有得到你想要的令牌,试试这个带证书的官方样本。
它使用客户端凭据流来获取访问令牌,该令牌可用于调用 Microsoft Graph 并访问组织数据。 该示例同时使用证书和客户端密码,您可以只使用证书。
private static async Task RunAsync()
{
AuthenticationConfig config = AuthenticationConfig.ReadFromJsonFile("appsettings.json");
// Even if this is a console application here, a daemon application is a confidential client application
IConfidentialClientApplication app;
X509Certificate2 certificate = ReadCertificate(config.CertificateName);
app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
.WithCertificate(certificate)
.WithAuthority(new Uri(config.Authority))
.Build();
// With client credentials flows the scopes is ALWAYS of the shape "resource/.default", as the
// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
// a tenant administrator.
string[] scopes = new string[] { $"{config.ApiUrl}.default" };
AuthenticationResult result = null;
try
{
result = await app.AcquireTokenForClient(scopes)
.ExecuteAsync();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Token acquired");
Console.ResetColor();
}
catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
{
// Invalid scope. The scope has to be of the form "https://resourceurl/.default"
// Mitigation: change the scope to be as expected
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Scope provided is not supported");
Console.ResetColor();
}
if (result != null)
{
var httpClient = new HttpClient();
var apiCaller = new ProtectedApiCallHelper(httpClient);
await apiCaller.CallWebApiAndProcessResultASync($"{config.ApiUrl}v1.0/users", result.AccessToken, Display);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.