我们正在尝试使用 Microsoft Graph 客户端创建具有“ActivityFeed.Read”权限的 Azure AD 应用程序。下面的示例成功创建了应用程序,但从该应用程序生成的令牌不包含角色“ActivityFeed.Read”。如果我们去 azure 门户并对新创建的应用程序进行任何简单的更改并手动保存并等待一分钟,那么生成的令牌具有所需的角色。
public static void AddApplication()
{
ActiveDirectoryClient activeDirectoryClient = AuthenticationHelper.GetActiveDirectoryClientAsUser();
Application appObject = new Application { DisplayName = "MyNewTest" };
appObject.IdentifierUris.Add("https://localhost/MyNewTest/" + Guid.NewGuid());
appObject.ReplyUrls.Add("https://localhost/MyNewTest");
appObject.Homepage = "https://localhost/MyNewTest/home";
// Add Office 365 Management APIs
RequiredResourceAccess app1 = new RequiredResourceAccess();
app1.ResourceAppId = "c5393580-f805-4401-95e8-94b7a6ef2fc2";
//ActivityFeed.Read Role
app1.ResourceAccess.Add(new ResourceAccess() { Id = Guid.Parse("594c1fb6-4f81-4475-ae41-0c394909246c"), Type = "Role" });
appObject.RequiredResourceAccess.Add(app1);
PasswordCredential passWordCredential = new PasswordCredential
{
StartDate = DateTime.UtcNow,
EndDate = DateTime.UtcNow.AddYears(1),
Value = "xxxxxxxxxx"
};
appObject.PasswordCredentials.Add(passWordCredential);
activeDirectoryClient.Applications.AddApplicationAsync(appObject).Wait();
ServicePrincipal newServicePrincpal = new ServicePrincipal();
if (appObject != null)
{
newServicePrincpal.DisplayName = appObject.DisplayName;
newServicePrincpal.AccountEnabled = true;
newServicePrincpal.AppId = appObject.AppId;
activeDirectoryClient.ServicePrincipals.AddServicePrincipalAsync(newServicePrincpal).Wait();
}
}
以下是创建新应用程序后立即用于 oauth2 身份验证的解码 jwt 令牌数据。
{
"aud": "https://manage.office.com",
"iss": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"iat": 1455531167,
"nbf": 1455531167,
"exp": 1455535067,
"appid": "71da9ffb-b583-43c4-bb7a-9c6e1fe30624",
"appidacr": "1",
"idp": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"oid": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"sub": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"tid": "de473ccc-dbc5-4625-8006-11e0e3ea8b7d",
"ver": "1.0"
}
下面是解码后的用于 oauth2 身份验证的 jwt 令牌数据,我们进行了一些手动更改并保存后。
{
"aud": "https://manage.office.com",
"iss": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"iat": 1455531317,
"nbf": 1455531317,
"exp": 1455535217,
"appid": "71da9ffb-b583-43c4-bb7a-9c6e1fe30624",
"appidacr": "1",
"idp": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"oid": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"roles": [
"ActivityFeed.Read"
],
"sub": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"tid": "de473ccc-dbc5-4625-8006-11e0e3ea8b7d",
"ver": "1.0"
}
请让我们知道如何以编程方式创建具有所需角色的应用程序。