microsoft authentication graph helpers
1.0.0
如下:https://github.com/azuread/microsoft-indistity-web,以基於MSAL的更好和支持的方法。
該庫的目的是簡化與Microsoft身份驗證庫的互動,並調用第一方和其他API。
請記住,這仍在進行中,並且現在缺少諸如緩存中的數據保護之類的東西。
// This library depends on MemoryCache / DistributedMemorycache for storing Tokens from the TokenCache
services . AddMemoryCache ( ) ;
services . AddSingleton ( new ClientCredential ( _config [ "AzureAd:ClientId" ] , _config [ "AzureAd:ClientSecret" ] ) ) ;
services . AddScoped < TokenCacheFactory > ( ) ;
services . AddScoped < AdalFactory > ( ) ;
services . AddScoped < MicrosoftGraphFactory > ( ) ;
services . AddScoped < AzureAdGraphFactory > ( ) ; services . Configure < OpenIdConnectOptions > ( AzureADDefaults . OpenIdScheme , options =>
{
options . ResponseType = OpenIdConnectResponseType . CodeIdToken ;
options . Events = new OpenIdConnectEvents ( )
{
OnAuthorizationCodeReceived = async context =>
{
var authContext = context . HttpContext . RequestServices . GetRequiredService < AdalFactory > ( ) . GetAuthenticationContextForUser ( context . Principal ) ;
var clientCred = context . HttpContext . RequestServices . GetRequiredService < Microsoft . IdentityModel . Clients . ActiveDirectory . ClientCredential > ( ) ;
var authResult = await authContext . AcquireTokenByAuthorizationCodeAsync ( context . ProtocolMessage . Code , new Uri ( context . Properties . Items [ OpenIdConnectDefaults . RedirectUriForCodePropertiesKey ] ) , clientCred , "https://graph.microsoft.com" ) ;
context . HandleCodeRedemption ( authResult . AccessToken , authResult . IdToken ) ;
} ,
} ;
} ) ; public class HomeController : Controller
{
private readonly MicrosoftGraphFactory _graphFactory ;
public HomeController ( MicrosoftGraphFactory graphFactory )
{
_graphFactory = graphFactory ;
}
[ Authorize ]
public async Task < IActionResult > Index ( )
{
var graphClient = _graphFactory . GetClientForUser ( HttpContext . User ) ;
var users = await graphClient . Users . Request ( ) . GetAsync ( ) ;
return Json ( users ) ;
}
public async Task < IActionResult > IndexAsApp ( )
{
var tenantId = "" ;
var graphClient = _graphFactory . GetClientForApplication ( tenantId ) ;
var users = await graphClient . Users . Request ( ) . GetAsync ( ) ;
return Json ( users ) ;
}
} 設置上述內容後,您還可以使用AzureAdAuthorizationAttribute 。這樣做的目的是使Azure AD角色和團體更簡單地授權。
借助此擴展名,您可以利用實時組和基於角色的授權。目前,設置是必須滿足任何一個要求。如果您想要多個,例如小組成員資格和角色,只需將其彼此堆疊。
為此,您還需要將IHttpContextAccessor添加到您的服務中。
public void ConfigureServices ( IServiceCollection services )
{
.. .
services . AddHttpContextAccessor ( ) ;
.. .
} public class HomeController : Controller
{
[ AzureAdAuthorization ( roles : new string [ ] { AzureAdRoles . CompanyAdministrator } , groups : new string [ ] { ApplicationGroupIds . AppAdministrators } ) ]
public async Task < IActionResult > Index ( )
{
var graphClient = _graphFactory . GetClientForUser ( HttpContext . User ) ;
var users = await graphClient . Users . Request ( ) . GetAsync ( ) ;
return Json ( users ) ;
}
} 為了使此工作起作用,您需要在項目中正確設置JWTBearerMiddleware(使用SaveTokens = true )的JWTBearerMiddleware。此方法簡化了在利用令牌緩存和所有內容時的流動令牌兌換。
public class HomeController : Controller
{
private readonly MicrosoftGraphFactory _graphFactory ;
public HomeController ( MicrosoftGraphFactory graphFactory )
{
_graphFactory = graphFactory ;
}
[ Authorize ( JwtBearerDefaults . AuthenticationScheme ) ]
public async Task < IActionResult > Index ( )
{
var graphClient = _graphFactory . GetClientForApiUser ( HttpContext . GetTokenAsync ( "access_token" ) , HttpContext . User ) ;
var users = await graphClient . Users . Request ( ) . GetAsync ( ) ;
return Json ( users ) ;
}
}
