[英]Azure API - AUTHENTICATING APIS WITH A CLIENT CERTIFICATE + OAUTH 2.0
我已經通過使用客戶端密碼創建令牌實現了 Oauth 2.0 Azure API 身份驗證。 我正在嘗試使用客戶端證書而不是客戶端密碼來創建 OAuth 2.0 令牌。 您能否指導我如何使用客戶端證書獲取令牌? C# 實現相同所需的代碼。
試試看這里。 它展示了如何通過 HTTP 請求獲取帶有證書的訪問令牌。
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_id=<client-id>
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=<An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. >
&grant_type=client_credentials
C#:
1.使用Azure.Identity
// Authenticate a service principal with a certificate
using Azure.Identity;
var certificate = new X509Certificate2("./app/certs/certificate.pfx");
var credential = new CertificateCredential(tenantId, clientId, certificate);
2. 在MSAL.NET
中使用WithCertificate
博客: https://cmatskas.com/create-a-net-core-deamon-app-that-calls-msgraph-with-a-certificate/
using Microsoft.Graph;
using Microsoft.Identity.Client;
using System;
using System.Linq;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;
namespace DaemonConsole
{
public class ClientCredentialsAuthProvider : IAuthenticationProvider
{
private readonly IConfidentialClientApplication msalClient;
private readonly string[] scopes;
public ClientCredentialsAuthProvider(AuthenticationConfig config)
{
scopes = new string[] { config.Scopes };
msalClient = ConfidentialClientApplicationBuilder
.Create(config.ClientId)
.WithCertificate(ReadCertificateLocal(config.CertificateName))
.WithAuthority(AadAuthorityAudience.AzureAdMyOrg, true)
.WithTenantId(config.Tenant)
.Build();
}
public async Task<string> GetAccessTokenAsync()
{
try
{
var result = await msalClient.AcquireTokenForClient(scopes)
.ExecuteAsync();
return result.AccessToken;
}
catch (Exception exception)
{
Console.WriteLine($"Error getting access token: {exception.Message}");
return null;
}
}
// This is the required function to implement IAuthenticationProvider
// The Graph SDK will call this function each time it makes a Graph
// call.
public async Task AuthenticateRequestAsync(HttpRequestMessage requestMessage)
{
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("bearer", await GetAccessTokenAsync());
}
private X509Certificate2 ReadCertificateLocal(string certificateName)
{
X509Certificate2 cert = null;
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = store.Certificates;
X509Certificate2Collection currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
X509Certificate2Collection signingCert = currentCerts.Find(X509FindType.FindBySubjectDistinguishedName, certificateName, false);
cert = signingCert.OfType<X509Certificate2>().OrderByDescending(c => c.NotBefore).FirstOrDefault();
}
return cert;
}
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.