如何使用证书与Graph API获取用户所属的群组

huangapple
go评论159阅读模式
英文:

How to use certificate with Graph API to get Groups user belongs to

问题

有人可以向我展示如何在ASP.NET Core 7中获取当前登录用户所属的组名吗?

请注意,我正在使用证书而不是客户端秘密来访问Azure AD。我找到的大多数示例都使用客户端秘密,但没有一个示范如何使用证书来实现这一点。

英文:

Can someone show me how to get group names that currently signed in user belong to in ASP.NET Core 7 ?

Note that I'm using a certificate and not client secret to access Azure AD. Most of the examples I've come across are using client secret but none show how to do this using a certificate.

答案1

得分: 1

我使用 PowerShell 创建了一个自签名证书:

  1. $certname = "testruk"
  2. $cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
  3. Export-Certificate -Cert $cert -FilePath "C:/test/$certname.cer"

如何使用证书与Graph API获取用户所属的群组

现在,将上面的证书导出为 .pfx 格式:

  1. $mypwd = ConvertTo-SecureString -String "password" -Force -AsPlainText 
  2. Export-PfxCertificate -Cert $cert -FilePath "C:/test/$certname.pfx" -Password $mypwd

如何使用证书与Graph API获取用户所属的群组

我创建了一个Azure AD应用程序并上传了**.cer**证书:

如何使用证书与Graph API获取用户所属的群组

并授予了API权限:

如何使用证书与Graph API获取用户所属的群组

为了使用证书对 Azure AD 应用程序进行身份验证,我使用了以下代码:

  1. using Microsoft.Identity.Client;
  2. using System.Security.Cryptography.X509Certificates;
  4. X509Certificate2 certificate = new X509Certificate2("C:\\Users\\**\\Desktop\\testruk.pfx", "password");
  6. string authority = "https://login.microsoftonline.com/TenantID";
  7. string clientId = "ClientID";
  8. string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
  10. IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
  11.     .Create(clientId)
  12.     .WithAuthority(authority)
  13.     .WithCertificate(certificate)
  14.     .Build();
  16. var authRequestUrl = confidentialClientApplication.GetAuthorizationRequestUrl(scopes);
  17. string authorizationCode = "AuthorizationCodeFromRedirect";
  18. AuthenticationResult authResult = await confidentialClientApplication.AcquireTokenByAuthorizationCode(scopes, authorizationCode).ExecuteAsync();
  20. Console.WriteLine("Access token: {0}", authResult.AccessToken);

成功生成访问令牌:

如何使用证书与Graph API获取用户所属的群组

当我解码访问令牌时,显示了范围(scopes)

如何使用证书与Graph API获取用户所属的群组

通过使用上面生成的访问令牌,您可以调用 Microsoft Graph API。

作为示例,我使用 Postman 列出了使用上面生成的访问令牌的登录用户的详细信息:

  1. https://graph.microsoft.com/v1.0/me/memberOf

如何使用证书与Graph API获取用户所属的群组

参考链接:

List a user's direct memberships - Microsoft Graph v1.0

英文:

I created an Self-Signed certificate using PowerShell:

  1. $certname = "testruk"    
  2. $cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
  3. Export-Certificate -Cert $cert -FilePath "C:/test/$certname.cer"

如何使用证书与Graph API获取用户所属的群组

Now, export the above certificate to .pfx:

  1. $mypwd = ConvertTo-SecureString -String "password" -Force -AsPlainText 
  2. Export-PfxCertificate -Cert $cert -FilePath "C:/test/$certname.pfx" -Password $mypwd

如何使用证书与Graph API获取用户所属的群组

I created an Azure AD Application and uploaded the .cer certificate:

如何使用证书与Graph API获取用户所属的群组

And granted API permissions:

如何使用证书与Graph API获取用户所属的群组

To authenticate to the Azure AD Application using certificate, I used the below code:

  1. using Microsoft.Identity.Client;  
  2. using System.Security.Cryptography.X509Certificates;
  4. X509Certificate2 certificate = new X509Certificate2("C:\\Users\\**\\Desktop\\testruk.pfx", "password");
  6. string authority = "https://login.microsoftonline.com/TenantID";
  7. string clientId = "ClientID"; /
  8. string[] scopes = new string[] { "https://graph.microsoft.com/.default"};
  11. IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder  
  12. .Create(clientId)  
  13. .WithAuthority(authority)  
  14. .WithCertificate(certificate)  
  15. .Build();
  17. var authRequestUrl = confidentialClientApplication.GetAuthorizationRequestUrl(scopes);
  18. string authorizationCode = "AuthorizationCodeFromRedirect";
  19. AuthenticationResult authResult = await confidentialClientApplication.AcquireTokenByAuthorizationCode(scopes, authorizationCode).ExecuteAsync();
  20.   
  21. Console.WriteLine("Access token: {0}", authResult.AccessToken);

The Access token generated successfully:

如何使用证书与Graph API获取用户所属的群组

When I decoded the access token, the scopes are displayed:

如何使用证书与Graph API获取用户所属的群组

By using the above access token, you can call the Microsoft Graph API.

For sample, I used Postman to list the details of signed-in user using the above generated access token:

  1. https://graph.microsoft.com/v1.0/me/memberOf

如何使用证书与Graph API获取用户所属的群组

Reference:

List a user's direct memberships - Microsoft Graph v1.0

huangapple
  • 本文由 发表于 2023年7月28日 00:21:18
  • 转载请务必保留本文链接:https://go.coder-hub.com/76781696.html
  • asp.net-core
  • azure-active-directory
  • c#
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定