我正在使用 Microsoft Identity Web (MSAL) 库连接到 Graph API。[https://github.com/AzureAD/microsoft-identity-web][1]
为此,我将客户端凭据流与基于证书的身份验证一起使用。
我的配置如下
服务注册
services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
appSettings.json
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain.onmicrosoft.com",
"TenantId": "xxxxxxx",
"ClientId": "yyyyyyyy",
"ClientCertificates": [
{
"SourceType": "Path",
"CertificateDiskPath": "c:\\cert\\my-cert.pfx",
"CertificatePassword": "password"
}
] }
为此,我收到以下错误
IDW10104:客户端密钥和客户端证书都不能为空或空格,并且在调用 Web API 时,Web 应用程序的配置中只能包含 ONE。例如,在 appsettings.json 文件中。
但是,我能够使用Microsoft.Identity.Client累积令牌并与 Graph API 连接(使用客户端凭据流和基于证书的身份验证)
private GraphServiceClient GetGraphServiceClient()
{
var token = GetToken();
GraphServiceClient graphServiceClient =
new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) =>
{
// Add the access token in the Authorization header of the API request.
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", token);
})
);
return graphServiceClient;
}
private string GetToken()
{
var x509Certificate2 =
new X509Certificate2(System.IO.File.ReadAllBytes("MyCert.pfx"), "password");
IConfidentialClientApplication app =
Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.Create("my-client-id")
.WithTenantId("my-tenent-id")
.WithCertificate(x509Certificate2)
.Build();
// With client credentials flows the scopes is ALWAYS of the shape "resource/.default", as the
// application permissions need to be set statically (in the portal or by PowerShell), and then granted by
// a tenant administrator
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
AuthenticationResult result =
app.AcquireTokenForClient(scopes)
.ExecuteAsync().Result;
return result.AccessToken;
}
我在这里缺少任何配置吗?
