如果已通过身份验证，则获取Azure AD Graph令牌_Azure_Authentication_Authorization_Azure Active Directory_Azure Ad Graph Api

如果已通过身份验证，则获取Azure AD Graph令牌

azure authentication azure-active-directory

如果已通过身份验证，则获取Azure AD Graph令牌,azure,authentication,authorization,azure-active-directory,azure-ad-graph-api,Azure,Authentication,Authorization,Azure Active Directory,Azure Ad Graph Api,我对Azure AD Graph和身份验证过程非常陌生。我能够使用Azure AD Graph客户端进行单一登录，如本例中使用.NET MVC应用程序所示：我的困境是，即使我已经验证了我的会话，它仍然要求我再次登录以执行以下控制器中的操作： public ActionResult Test() { if (Request.QueryString["reauth"] == "True") { //Send an OpenID Connect sign -in r

我对Azure AD Graph和身份验证过程非常陌生。我能够使用Azure AD Graph客户端进行单一登录，如本例中使用.NET MVC应用程序所示：

我的困境是，即使我已经验证了我的会话，它仍然要求我再次登录以执行以下控制器中的操作：

public ActionResult Test()
{
    if (Request.QueryString["reauth"] == "True")
    {

        //Send an OpenID Connect sign -in request to get a new set of tokens.
        // If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
        // The OpenID Connect middleware will return to this controller after the sign-in response has been handled.


        HttpContext.GetOwinContext()
            .Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
}

// Access the Azure Active Directory Graph Client
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();

    // Obtain the current user's AD objectId
    string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

    // Query and obtain the current user object from the Azure AD Graph Client
    User user = (User)client.Users.
        Where(u => u.ObjectId
        .Equals(userObjectID, StringComparison.CurrentCultureIgnoreCase)).
        ExecuteSingleAsync().
        Result;

    // Get the employee Id from Azure AD (via a directory extension)
    IReadOnlyDictionary<string, object> extendedProperty = user.GetExtendedProperties();
    object extendedProp = extendedProperty["extension_ExtensionId_employeeID"];


    // Hash the employee Id
    var empId = PasswordHash.ArgonHashString(extendedProp.ToString(), PasswordHash.StrengthArgon.Moderate);
    // Send to the view for testing only
    ViewBag.EmployeeName = user.DisplayName;
    ViewBag.EmployeeEmail = user.Mail;
    ViewBag.EmployeeId = empId;

    return View();
}

由于我对身份验证部分还比较陌生，所以我需要一些关于如何获取当前会话令牌的指导，以避免出现此错误

我之所以使用Azure AD Graph，是因为我在Azure中获得了一个特定的目录扩展名，而我无法通过Microsoft Graph获得该扩展名（目前基于我当前的截止日期）

任何建议都会有帮助。

如果令牌为空，用户需要重新授权。如中所示，您可以使用try-catch语句来处理异常：

            try
            {

            }
            catch (Exception e)
            {                        
                //
                // The user needs to re-authorize.  Show them a message to that effect.
                //
                ViewBag.ErrorMessage = "AuthorizationRequired";
                return View(userList);
            }

向用户显示消息（例如，在用户视图文件夹中）：

如果用户仍然拥有与Azure AD的有效会话，则不会提示他们输入凭据。处理登录响应后，OpenID Connect中间件将返回到当前控制器。

谢谢您的建议！我在工作日结束时就这样做了，并让用户重新定向以重新授权应用程序。我意识到有两件事正在进行——单点登录是对用户进行身份验证，而LINQ查询是对Azure AD graph API请求特定授权。我的解释是，身份验证提供了对应用程序的访问，而授权部分为特定资源提供了特定的委托权限。

            try
            {

            }
            catch (Exception e)
            {                        
                //
                // The user needs to re-authorize.  Show them a message to that effect.
                //
                ViewBag.ErrorMessage = "AuthorizationRequired";
                return View(userList);
            }

@if (ViewBag.ErrorMessage == "AuthorizationRequired")
{
    <p>You have to sign-in to see Users. Click @Html.ActionLink("here", "Index", "Users", new { reauth = true }, null) to sign-in.</p>
}

           catch (Exception e)
            {
              ....

             HttpContext.GetOwinContext()
                .Authentication.Challenge(new AuthenticationProperties {RedirectUri = "/"},
                    OpenIdConnectAuthenticationDefaults.AuthenticationType);
               .....
            }