使用文件上的 cer 或 pfx 从 Microsoft Graph 端点获取身份验证令牌

Question

我正在尝试使用我使用自签名创建的 cer/pfx 证书从 Graph Endpoint 获取身份验证令牌。 我已将证书放在文件系统上。 这是我正在使用的代码：

    using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Security.Cryptography.X509Certificates;
using Microsoft.IdentityModel.Clients.ActiveDirectory;

namespace DAL_HTTP
{
    public class MSGraphAuth
    {
        public string _tenantId;
        public string _clientId;
        public string _certificateThumbprint;
        public string _debugCertificatePath;
        public string _debugCertificatePassword;

        public MSGraphAuth()
        {
            string TenantName = "testtenant.onmicrosoft.com";
            string TenantId = "<tenantid>";
            string ClientID = "<appid>";
            string AuthenticationContextURL = "https://login.microsoftonline.com/testtenant.onmicrosoft.com";
            string AcquireTokenURL = "https://graph.microsoft.com";
            string ClientKey = "*********";
            string certificateFilePath = @"D:\folder\test.onmicrosoft.com.pfx";
            string certificatePassword = "*******";

            _tenantId = TenantId;
            _clientId = ClientID;
            _certificateThumbprint = GetCertificateThumprint(certificateFilePath, certificatePassword);
            _debugCertificatePath = certificateFilePath;
            _debugCertificatePassword = certificatePassword;

        }

        public string GetCertificateThumprint(string certificateFilePath, string certPassword)
        {
            X509Certificate2 cert = new X509Certificate2(certificateFilePath, certPassword);

            return cert.Thumbprint;
        }

        public async Task<string> GetAccessTokenAsync(string url)
        {
            url = GetTenantUrl(url);

            var authContext = new AuthenticationContext($"https://login.microsoftonline.com/{_tenantId}/oauth2/token"); // you can also use the v2.0 endpoint URL

            return (await authContext.AcquireTokenAsync(url, GetCertificate(_clientId, _certificateThumbprint))).AccessToken;
        }

        public static string GetTenantUrl(string url)
        {
            const string suffix = "sharepoint.com";
            var index = url.IndexOf(suffix, StringComparison.OrdinalIgnoreCase);
            return index != -1 ? url.Substring(0, index + suffix.Length) : url;
        }

        public ClientAssertionCertificate GetCertificate(string clientId, string thumbprint)
        {
            var certificate = GetCertificateFromDirectory(_debugCertificatePath, _debugCertificatePassword);
            return new ClientAssertionCertificate(clientId, certificate);
        }

        public static X509Certificate2 GetCertificateFromDirectory(string path, string password)
        {
            return new X509Certificate2(System.IO.Path.GetFullPath(path), password, X509KeyStorageFlags.DefaultKeySet);
        }

        private static X509Certificate2 GetCertificateFromStore(string thumbprint)
        {
            var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

            store.Open(OpenFlags.ReadOnly);

            var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);

            store.Close();

            return certificates[0];
        }
    }
}

但是，我在这一行得到一个错误：

return (await authContext.AcquireTokenAsync(url, GetCertificate(_clientId, _certificateThumbprint))).AccessToken;

错误消息如下：

mscorlib.dll 中发生了“Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException”类型的未处理异常

附加信息：AADSTS90002：未找到租户“令牌”。 如果租户没有活动订阅，则可能会发生这种情况。 检查以确保您拥有正确的租户 ID。 请咨询您的订阅管理员。

跟踪 ID：c9d3eac6-77e0-4f56-8c96-ac924ff90700

相关 ID：e90027e1-cbcb-4291-9630-984c5c23757d

时间戳：2020-08-14 17:11:34Z

我一直在关注这两篇文章，但仍然无法正常工作。：

https://laurakokkarinen.com/authenticating-to-office-365-apis-with-a-certificate-step-by-step/comment-page-2/#comment-697

如何使用带有证书的 Microsoft Graph API (INTUNE)

我究竟做错了什么？ 请帮忙。

Answer 1

看来你没有得到你想要的令牌，试试这个带证书的官方样本。

它使用客户端凭据流来获取访问令牌，该令牌可用于调用 Microsoft Graph 并访问组织数据。 该示例同时使用证书和客户端密码，您可以只使用证书。

private static async Task RunAsync()
    {
        AuthenticationConfig config = AuthenticationConfig.ReadFromJsonFile("appsettings.json");

        // Even if this is a console application here, a daemon application is a confidential client application
        IConfidentialClientApplication app;

        X509Certificate2 certificate = ReadCertificate(config.CertificateName);
        app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
             .WithCertificate(certificate)
             .WithAuthority(new Uri(config.Authority))
             .Build();
        

        // With client credentials flows the scopes is ALWAYS of the shape "resource/.default", as the 
        // application permissions need to be set statically (in the portal or by PowerShell), and then granted by
        // a tenant administrator. 
        string[] scopes = new string[] { $"{config.ApiUrl}.default" }; 
        
        AuthenticationResult result = null;
        try
        {
            result = await app.AcquireTokenForClient(scopes)
                .ExecuteAsync();
            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("Token acquired");
            Console.ResetColor();
        }
        catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
        {
            // Invalid scope. The scope has to be of the form "https://resourceurl/.default"
            // Mitigation: change the scope to be as expected
            Console.ForegroundColor = ConsoleColor.Red;
            Console.WriteLine("Scope provided is not supported");
            Console.ResetColor();
        }

        if (result != null)
        {
            var httpClient = new HttpClient();
            var apiCaller = new ProtectedApiCallHelper(httpClient);
            await apiCaller.CallWebApiAndProcessResultASync($"{config.ApiUrl}v1.0/users", result.AccessToken, Display);
        }
    }