如何使用 ADAL JS 发出隐式授权令牌从 Web API 访问图形 API
How to access Graph API from a Web API with ADAL JS issued implicit grant token
我有一个内置于 Java 的 Web API,returns 数据库信息到 SPA。在传递响应之前,我需要使用 AAD Graph API 检查用户的组信息。现在 Web API 接受请求并读取用户的令牌 (eyJ...)。
应用程序准备好代表用户向 Graph API 发送请求的后续步骤是什么?
我尝试使用用户令牌发送带有 授权的请求:Bearer ey... header 但收到 Authentication_MissingOrMalformed 错误。我也尝试过对应用程序清单和委派权限进行各种编辑,但没有成功。
您的API收到的访问令牌仅用于您的API。您需要代表当前用户为 Azure AD Graph API.
获取 new 访问令牌
幸运的是,这正是代流的目的。来自 Authentication Scenarios for Azure AD:
Delegated User Identity with OAuth 2.0 On-Behalf-Of Draft Specification
The flow discussed below assumes that a user has been authenticated on another application (such as a native application), and their user identity has been used to acquire an access token to the first-tier web API.
- The native application sends the access token to the first-tier web API.
- The first-tier web API sends a request to Azure AD’s token endpoint, providing its client ID and credentials, as well as the user’s access token. In addition, the request is sent with an on_behalf_of parameter that indicates the web API is requesting new tokens to call a downstream web API on behalf of the original user.
- Azure AD verifies that the first-tier web API has permissions to access the second-tier web API and validates the request, returning a JWT access token and a JWT refresh token to the first-tier web API.
- Over HTTPS, the first-tier web API then calls the second-tier web API by appending the token string in the Authorization header in the request. The first-tier web API can continue to call the second-tier web API as long as the access token and refresh tokens are valid.
请务必配置您的 API 以请求 Azure AD 图形的正确权限集 API。
编辑:如果您自己构建令牌请求,您的 API 将向 Azure AD 发出请求以获取图形的新令牌 API 代表当前用户将是 POST 反对:
https://login.microsoftonline.com/{tenant-id}/oauth2/token
正文中包含以下参数(未编码,为了便于阅读,实际上这些参数当然是 application/x-www-form-urlencoded):
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&
requested_token_use=on_behalf_of&
assertion={access-token}&
client_id={api-client-id}&
client_secret={api-client-secret}&
resource=https://graph.windows.net&
scope=openid
其中 {tenant-id} 是目录标识符(域名或 Guid 值),{access-token} 是您的 SPA 提供给您的 API(您正在交换的那个)的访问令牌对于 Graph API 的访问令牌),{api-client-id} 是您的 API 的客户端 ID,而 {api-client-secret} 是 API 的秘密密码凭证。
(请注意,为简单起见,此示例使用密码凭据 (client_secret) 对 API 进行身份验证,尽管它很可能使用由客户端证书签名的断言。)
我有一个内置于 Java 的 Web API,returns 数据库信息到 SPA。在传递响应之前,我需要使用 AAD Graph API 检查用户的组信息。现在 Web API 接受请求并读取用户的令牌 (eyJ...)。
应用程序准备好代表用户向 Graph API 发送请求的后续步骤是什么?
我尝试使用用户令牌发送带有 授权的请求:Bearer ey... header 但收到 Authentication_MissingOrMalformed 错误。我也尝试过对应用程序清单和委派权限进行各种编辑,但没有成功。
您的API收到的访问令牌仅用于您的API。您需要代表当前用户为 Azure AD Graph API.
获取 new 访问令牌幸运的是,这正是代流的目的。来自 Authentication Scenarios for Azure AD:
Delegated User Identity with OAuth 2.0 On-Behalf-Of Draft Specification
The flow discussed below assumes that a user has been authenticated on another application (such as a native application), and their user identity has been used to acquire an access token to the first-tier web API.
- The native application sends the access token to the first-tier web API.
- The first-tier web API sends a request to Azure AD’s token endpoint, providing its client ID and credentials, as well as the user’s access token. In addition, the request is sent with an on_behalf_of parameter that indicates the web API is requesting new tokens to call a downstream web API on behalf of the original user.
- Azure AD verifies that the first-tier web API has permissions to access the second-tier web API and validates the request, returning a JWT access token and a JWT refresh token to the first-tier web API.
- Over HTTPS, the first-tier web API then calls the second-tier web API by appending the token string in the Authorization header in the request. The first-tier web API can continue to call the second-tier web API as long as the access token and refresh tokens are valid.
请务必配置您的 API 以请求 Azure AD 图形的正确权限集 API。
编辑:如果您自己构建令牌请求,您的 API 将向 Azure AD 发出请求以获取图形的新令牌 API 代表当前用户将是 POST 反对:
https://login.microsoftonline.com/{tenant-id}/oauth2/token
正文中包含以下参数(未编码,为了便于阅读,实际上这些参数当然是 application/x-www-form-urlencoded):
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&
requested_token_use=on_behalf_of&
assertion={access-token}&
client_id={api-client-id}&
client_secret={api-client-secret}&
resource=https://graph.windows.net&
scope=openid
其中 {tenant-id} 是目录标识符(域名或 Guid 值),{access-token} 是您的 SPA 提供给您的 API(您正在交换的那个)的访问令牌对于 Graph API 的访问令牌),{api-client-id} 是您的 API 的客户端 ID,而 {api-client-secret} 是 API 的秘密密码凭证。
(请注意,为简单起见,此示例使用密码凭据 (client_secret) 对 API 进行身份验证,尽管它很可能使用由客户端证书签名的断言。)