microsoft authentication graph helpers
1.0.0
如下:https://github.com/azuread/microsoft-indistity-web,以基于MSAL的更好和支持的方法。
该库的目的是简化与Microsoft身份验证库的互动,并调用第一方和其他API。
请记住,这仍在进行中,并且现在缺少诸如缓存中的数据保护之类的东西。
// This library depends on MemoryCache / DistributedMemorycache for storing Tokens from the TokenCache
services . AddMemoryCache ( ) ;
services . AddSingleton ( new ClientCredential ( _config [ "AzureAd:ClientId" ] , _config [ "AzureAd:ClientSecret" ] ) ) ;
services . AddScoped < TokenCacheFactory > ( ) ;
services . AddScoped < AdalFactory > ( ) ;
services . AddScoped < MicrosoftGraphFactory > ( ) ;
services . AddScoped < AzureAdGraphFactory > ( ) ; services . Configure < OpenIdConnectOptions > ( AzureADDefaults . OpenIdScheme , options =>
{
options . ResponseType = OpenIdConnectResponseType . CodeIdToken ;
options . Events = new OpenIdConnectEvents ( )
{
OnAuthorizationCodeReceived = async context =>
{
var authContext = context . HttpContext . RequestServices . GetRequiredService < AdalFactory > ( ) . GetAuthenticationContextForUser ( context . Principal ) ;
var clientCred = context . HttpContext . RequestServices . GetRequiredService < Microsoft . IdentityModel . Clients . ActiveDirectory . ClientCredential > ( ) ;
var authResult = await authContext . AcquireTokenByAuthorizationCodeAsync ( context . ProtocolMessage . Code , new Uri ( context . Properties . Items [ OpenIdConnectDefaults . RedirectUriForCodePropertiesKey ] ) , clientCred , "https://graph.microsoft.com" ) ;
context . HandleCodeRedemption ( authResult . AccessToken , authResult . IdToken ) ;
} ,
} ;
} ) ; public class HomeController : Controller
{
private readonly MicrosoftGraphFactory _graphFactory ;
public HomeController ( MicrosoftGraphFactory graphFactory )
{
_graphFactory = graphFactory ;
}
[ Authorize ]
public async Task < IActionResult > Index ( )
{
var graphClient = _graphFactory . GetClientForUser ( HttpContext . User ) ;
var users = await graphClient . Users . Request ( ) . GetAsync ( ) ;
return Json ( users ) ;
}
public async Task < IActionResult > IndexAsApp ( )
{
var tenantId = "" ;
var graphClient = _graphFactory . GetClientForApplication ( tenantId ) ;
var users = await graphClient . Users . Request ( ) . GetAsync ( ) ;
return Json ( users ) ;
}
} 设置上述内容后,您还可以使用AzureAdAuthorizationAttribute 。这样做的目的是使Azure AD角色和团体更简单地授权。
借助此扩展名,您可以利用实时组和基于角色的授权。目前,设置是必须满足任何一个要求。如果您想要多个,例如小组成员资格和角色,只需将其彼此堆叠。
为此,您还需要将IHttpContextAccessor添加到您的服务中。
public void ConfigureServices ( IServiceCollection services )
{
.. .
services . AddHttpContextAccessor ( ) ;
.. .
} public class HomeController : Controller
{
[ AzureAdAuthorization ( roles : new string [ ] { AzureAdRoles . CompanyAdministrator } , groups : new string [ ] { ApplicationGroupIds . AppAdministrators } ) ]
public async Task < IActionResult > Index ( )
{
var graphClient = _graphFactory . GetClientForUser ( HttpContext . User ) ;
var users = await graphClient . Users . Request ( ) . GetAsync ( ) ;
return Json ( users ) ;
}
} 为了使此工作起作用,您需要在项目中正确设置JWTBearerMiddleware(使用SaveTokens = true )的JWTBearerMiddleware。此方法简化了在利用令牌缓存和所有内容时的流动令牌兑换。
public class HomeController : Controller
{
private readonly MicrosoftGraphFactory _graphFactory ;
public HomeController ( MicrosoftGraphFactory graphFactory )
{
_graphFactory = graphFactory ;
}
[ Authorize ( JwtBearerDefaults . AuthenticationScheme ) ]
public async Task < IActionResult > Index ( )
{
var graphClient = _graphFactory . GetClientForApiUser ( HttpContext . GetTokenAsync ( "access_token" ) , HttpContext . User ) ;
var users = await graphClient . Users . Request ( ) . GetAsync ( ) ;
return Json ( users ) ;
}
}
