如何使用证书与Graph API获取用户所属的群组

huangapple go评论113阅读模式
英文:

How to use certificate with Graph API to get Groups user belongs to

问题

有人可以向我展示如何在ASP.NET Core 7中获取当前登录用户所属的组名吗?

请注意,我正在使用证书而不是客户端秘密来访问Azure AD。我找到的大多数示例都使用客户端秘密,但没有一个示范如何使用证书来实现这一点。

英文:

Can someone show me how to get group names that currently signed in user belong to in ASP.NET Core 7 ?

Note that I'm using a certificate and not client secret to access Azure AD. Most of the examples I've come across are using client secret but none show how to do this using a certificate.

答案1

得分: 1

我使用 PowerShell 创建了一个自签名证书:

$certname = "testruk"
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-Certificate -Cert $cert -FilePath "C:/test/$certname.cer"

如何使用证书与Graph API获取用户所属的群组

现在,将上面的证书导出为 .pfx 格式:

$mypwd = ConvertTo-SecureString -String "password" -Force -AsPlainText 
Export-PfxCertificate -Cert $cert -FilePath "C:/test/$certname.pfx" -Password $mypwd 

如何使用证书与Graph API获取用户所属的群组

我创建了一个Azure AD应用程序并上传了**.cer**证书:

如何使用证书与Graph API获取用户所属的群组

并授予了API权限:

如何使用证书与Graph API获取用户所属的群组

为了使用证书对 Azure AD 应用程序进行身份验证,我使用了以下代码:

using Microsoft.Identity.Client;
using System.Security.Cryptography.X509Certificates;

X509Certificate2 certificate = new X509Certificate2("C:\\Users\\**\\Desktop\\testruk.pfx", "password");

string authority = "https://login.microsoftonline.com/TenantID";
string clientId = "ClientID";
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithAuthority(authority)
    .WithCertificate(certificate)
    .Build();

var authRequestUrl = confidentialClientApplication.GetAuthorizationRequestUrl(scopes);
string authorizationCode = "AuthorizationCodeFromRedirect";
AuthenticationResult authResult = await confidentialClientApplication.AcquireTokenByAuthorizationCode(scopes, authorizationCode).ExecuteAsync();

Console.WriteLine("Access token: {0}", authResult.AccessToken);

成功生成访问令牌:

如何使用证书与Graph API获取用户所属的群组

当我解码访问令牌时,显示了范围(scopes)

如何使用证书与Graph API获取用户所属的群组

通过使用上面生成的访问令牌,您可以调用 Microsoft Graph API。

作为示例,我使用 Postman 列出了使用上面生成的访问令牌的登录用户的详细信息:

https://graph.microsoft.com/v1.0/me/memberOf

如何使用证书与Graph API获取用户所属的群组

参考链接:

List a user's direct memberships - Microsoft Graph v1.0

英文:

I created an Self-Signed certificate using PowerShell:

$certname = "testruk"    
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-Certificate -Cert $cert -FilePath "C:/test/$certname.cer"

如何使用证书与Graph API获取用户所属的群组

Now, export the above certificate to .pfx:

$mypwd = ConvertTo-SecureString -String "password" -Force -AsPlainText 
Export-PfxCertificate -Cert $cert -FilePath "C:/test/$certname.pfx" -Password $mypwd 

如何使用证书与Graph API获取用户所属的群组

I created an Azure AD Application and uploaded the .cer certificate:

如何使用证书与Graph API获取用户所属的群组

And granted API permissions:

如何使用证书与Graph API获取用户所属的群组

To authenticate to the Azure AD Application using certificate, I used the below code:

using Microsoft.Identity.Client;  
using System.Security.Cryptography.X509Certificates;

X509Certificate2 certificate = new X509Certificate2("C:\\Users\\**\\Desktop\\testruk.pfx", "password");

string authority = "https://login.microsoftonline.com/TenantID";
string clientId = "ClientID"; /
string[] scopes = new string[] { "https://graph.microsoft.com/.default"};


IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder  
.Create(clientId)  
.WithAuthority(authority)  
.WithCertificate(certificate)  
.Build();

var authRequestUrl = confidentialClientApplication.GetAuthorizationRequestUrl(scopes);
string authorizationCode = "AuthorizationCodeFromRedirect";
AuthenticationResult authResult = await confidentialClientApplication.AcquireTokenByAuthorizationCode(scopes, authorizationCode).ExecuteAsync();
  
Console.WriteLine("Access token: {0}", authResult.AccessToken);

The Access token generated successfully:

如何使用证书与Graph API获取用户所属的群组

When I decoded the access token, the scopes are displayed:

如何使用证书与Graph API获取用户所属的群组

By using the above access token, you can call the Microsoft Graph API.

For sample, I used Postman to list the details of signed-in user using the above generated access token:

https://graph.microsoft.com/v1.0/me/memberOf

如何使用证书与Graph API获取用户所属的群组

Reference:

List a user's direct memberships - Microsoft Graph v1.0

huangapple
  • 本文由 发表于 2023年7月28日 00:21:18
  • 转载请务必保留本文链接:https://go.coder-hub.com/76781696.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定