How can I silently get an access token to retrieve information about currently logged in user from the windows graph API?

huangapple go评论71阅读模式
英文:

How can I silently get an access token to retrieve information about currently logged in user from the windows graph API?

问题

我正在尝试编写一个桌面应用程序,该应用程序在启动时从Graph API中检索有关当前登录用户的信息,并根据这些结果自定义一些设置。我不希望用户每次登录时都必须两次输入他们的登录详细信息,所以我希望能够在默默中执行此操作。我的应用程序已在Azure AD中被授予管理员权限。

我尝试了几种不同的方法。首先是使用客户端凭据,如此处所述:https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http 这给我提供了一个令牌,但我无法在/me端点上使用该令牌,因为它与特定用户没有关联。如果有一种方法可以检索当前登录用户的ID,那么这将是可以的,因为我可以查找他们;但我找不到这样做的方法。

另一种方法是委派流。然而,这似乎总是需要用户交互,我找不到一种覆盖的方法,即使作为管理员也无法覆盖。

我还尝试了Web帐户管理器https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam 但是在我的一些测试帐户上没有UI无法工作(但似乎在其他帐户上可以工作?)。

英文:

I'm trying to write a desktop application that, on Start-up, retrieves information about the currently logged in user from the Graph API and customises some settings based on those results. I don't want the user to have to type in their login details twice every time they log in so I would like to be able to do this silently. My application has been given admin permissions in Azure AD.

I've tried a few different methods. The first is using client credentials as described here https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http this gives me a token but I can't use the token on the /me endpoint as it isn't linked to a particular user. If there was a way I could retrieve the ID of the currently logged in user then this would be fine as I could look them up; but I can't find a way to do this.

The other approach is the delegated flow. However this seems to always require user interaction that I can't find a a way to override, even as an admin.

I have also tried the Web Account Manager https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam but this won't work without UI on some of my test accounts (but does seem to on others?).

答案1

得分: 1

现在对我有效的方法是Web账户管理器。

链接:https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam

之前无法正常工作的原因是测试账户未设置Windows Hello,这意味着它们违反了组织的安全策略。在链接中提供的方法生成的令牌允许根据需要查询Graph的/me端点。

英文:

The approach that is now working for me is the Web Account Manager.

https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam

The reason it wasn't working before is that the test accounts didn't have Windows Hello set up which meant they violated the organisations security policy. The token generated with the method at the link allows querying the Graph /me endpoint as needed.

huangapple
  • 本文由 发表于 2023年7月24日 16:36:44
  • 转载请务必保留本文链接:https://go.coder-hub.com/76752717.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定