在 MVC 应用程序中获取访问令牌
Get access token in MVC application
我正在尝试检索访问令牌以便我可以存储它,并稍后将它传递给 ExchangeService。
Startup.Auth 看起来像这样:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
UseTokenLifetime = false,
/*
* Skipping the Home Realm Discovery Page in Azure AD
* http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/
*/
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OpenIdConnectNotification.RedirectToIdentityProvider,
MessageReceived = OpenIdConnectNotification.MessageReceived,
SecurityTokenReceived = OpenIdConnectNotification.SecurityTokenReceived,
SecurityTokenValidated = OpenIdConnectNotification.SecurityTokenValidated,
AuthorizationCodeReceived = OpenIdConnectNotification.AuthorizationCodeReceived,
AuthenticationFailed = OpenIdConnectNotification.AuthenticationFailed
},
});
然后在 SecurityTokenValidated 中我这样做了:
public static async Task<Task> SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var authContext = new AuthenticationContext(aadInstance + "/oauth2/token", false);
var authResult =await authContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code,
new Uri(aadInstance), new ClientAssertion(clientId, "5a95f1c6be7bf3c61f6392ec84ddd044acef61d9"));
var accessToken = authResult.Result.AccessToken;
context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
return Task.FromResult(0);
}
我没有收到任何错误,但应用程序在这一行挂起:
var accessToken = authResult.Result.AccessToken;
ClientAssertion 是使用我在 IIS 中安装的 SSL 证书的指纹构建的,不确定证书的类型是否错误...
更新:
我更新了 SecurityTokenValidated 以反映 Saca 的评论,但我以这种方式收到 "AADSTS50027: Invalid JWT token. Token format not valid" 错误。
我也试过这段代码:
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var authContext = new AuthenticationContext(aadInstance, false);
var cert = new X509Certificate2("...", "...");
var cacert = new ClientAssertionCertificate(clientId, cert);
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code, new Uri(aadInstance), cacert);
var accessToken = authResult.AccessToken;
context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
return Task.FromResult(0);
但是这样我得到 "AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature."
应用程序挂起,因为您通过访问 authResult 的 .Result 阻止了异步任务的结果。
您应该将其更改为:
public static async Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var authContext = new AuthenticationContext(aadInstance + "/oauth2/token", false);
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code,
new Uri(aadInstance), new ClientAssertion(clientId, "5a95f1c6be7bf3c61f6392ec84ddd044acef61d9"));
var accessToken = authResult.AccessToken;
context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
}
我设法像这样获得了访问令牌:
public static async Task<Task> SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
string clientSecret = ConfigurationManager.AppSettings["ida:ClientSecret"];
string source = ConfigurationManager.AppSettings["ExchangeOnlineId"];
var authContext = new AuthenticationContext(aadInstance, false);
var credentials = new ClientCredential(clientId, clientSecret);
var appRedirectUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase + "/";
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code, new Uri(appRedirectUrl), credentials, source);
var accessToken = authResult.AccessToken;
var applicationUserIdentity = new ClaimsIdentity(context.OwinContext.Authentication.User.Identity);
applicationUserIdentity.AddClaim(new Claim("AccessToken", accessToken));
context.OwinContext.Authentication.User.AddIdentity(applicationUserIdentity);
return Task.FromResult(0);
}
最初我想使用 ClientAssertion,这样我就不必公开客户端 Secret,但是管理证书的工作量太大了...
我正在尝试检索访问令牌以便我可以存储它,并稍后将它传递给 ExchangeService。 Startup.Auth 看起来像这样:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
UseTokenLifetime = false,
/*
* Skipping the Home Realm Discovery Page in Azure AD
* http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/
*/
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OpenIdConnectNotification.RedirectToIdentityProvider,
MessageReceived = OpenIdConnectNotification.MessageReceived,
SecurityTokenReceived = OpenIdConnectNotification.SecurityTokenReceived,
SecurityTokenValidated = OpenIdConnectNotification.SecurityTokenValidated,
AuthorizationCodeReceived = OpenIdConnectNotification.AuthorizationCodeReceived,
AuthenticationFailed = OpenIdConnectNotification.AuthenticationFailed
},
});
然后在 SecurityTokenValidated 中我这样做了:
public static async Task<Task> SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var authContext = new AuthenticationContext(aadInstance + "/oauth2/token", false);
var authResult =await authContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code,
new Uri(aadInstance), new ClientAssertion(clientId, "5a95f1c6be7bf3c61f6392ec84ddd044acef61d9"));
var accessToken = authResult.Result.AccessToken;
context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
return Task.FromResult(0);
}
我没有收到任何错误,但应用程序在这一行挂起:
var accessToken = authResult.Result.AccessToken;
ClientAssertion 是使用我在 IIS 中安装的 SSL 证书的指纹构建的,不确定证书的类型是否错误...
更新: 我更新了 SecurityTokenValidated 以反映 Saca 的评论,但我以这种方式收到 "AADSTS50027: Invalid JWT token. Token format not valid" 错误。 我也试过这段代码:
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var authContext = new AuthenticationContext(aadInstance, false);
var cert = new X509Certificate2("...", "...");
var cacert = new ClientAssertionCertificate(clientId, cert);
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code, new Uri(aadInstance), cacert);
var accessToken = authResult.AccessToken;
context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
return Task.FromResult(0);
但是这样我得到 "AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature."
应用程序挂起,因为您通过访问 authResult 的 .Result 阻止了异步任务的结果。
您应该将其更改为:
public static async Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
var authContext = new AuthenticationContext(aadInstance + "/oauth2/token", false);
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code,
new Uri(aadInstance), new ClientAssertion(clientId, "5a95f1c6be7bf3c61f6392ec84ddd044acef61d9"));
var accessToken = authResult.AccessToken;
context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
}
我设法像这样获得了访问令牌:
public static async Task<Task> SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
string clientSecret = ConfigurationManager.AppSettings["ida:ClientSecret"];
string source = ConfigurationManager.AppSettings["ExchangeOnlineId"];
var authContext = new AuthenticationContext(aadInstance, false);
var credentials = new ClientCredential(clientId, clientSecret);
var appRedirectUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase + "/";
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code, new Uri(appRedirectUrl), credentials, source);
var accessToken = authResult.AccessToken;
var applicationUserIdentity = new ClaimsIdentity(context.OwinContext.Authentication.User.Identity);
applicationUserIdentity.AddClaim(new Claim("AccessToken", accessToken));
context.OwinContext.Authentication.User.AddIdentity(applicationUserIdentity);
return Task.FromResult(0);
}
最初我想使用 ClientAssertion,这样我就不必公开客户端 Secret,但是管理证书的工作量太大了...