Fatal编程技术网
  • openid/
  • Openid 如何使用B2C当前登录的用户&x27;访问Microsoft Graph API;国书

Openid 如何使用B2C当前登录的用户&x27;访问Microsoft Graph API;国书

openid microsoft-graph-api azure-ad-b2c

Openid 如何使用B2C当前登录的用户&x27;访问Microsoft Graph API;国书,openid,microsoft-graph-api,azure-ad-b2c,Openid,Microsoft Graph Api,Azure Ad B2c,我有一个定义了策略的Azure Active Directory B2C,并在B2C刀片服务器中注册了一个应用程序。我可以在.NET web应用程序中使用OWIN管道将用户签名到应用程序中。但是,该用户似乎无法使用AAD B2C返回的JWT访问Graph API 第一个问题似乎是可用的作用域。在我的应用程序的Startup.Auth.cs中的OWIN设置中,我有以下代码: private static string clientId = ConfigurationManager.

我有一个定义了策略的Azure Active Directory B2C,并在B2C刀片服务器中注册了一个应用程序。我可以在.NET web应用程序中使用OWIN管道将用户签名到应用程序中。但是,该用户似乎无法使用AAD B2C返回的JWT访问Graph API

第一个问题似乎是可用的作用域。在我的应用程序的Startup.Auth.cs中的OWIN设置中,我有以下代码:

        private static string clientId = ConfigurationManager.AppSettings["ida:AppId"];
    private static string clientSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
    private static string aadInstance = ConfigurationManager.AppSettings["ida:AadInstance"];
    private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
    private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
    private static string graphScopes = ConfigurationManager.AppSettings["ida:GraphScopes"];

    // B2C policy identifiers
    public static string SignUpPolicyId = ConfigurationManager.AppSettings["ida:SignUpPolicyId"];
    public static string SignInPolicyId = ConfigurationManager.AppSettings["ida:SignInPolicyId"];

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        // Configure OpenID Connect middleware for each policy
        app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignUpPolicyId));
        //app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ProfilePolicyId));
        app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignInPolicyId));
    }
在本文件后面,我有以下内容:

        private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy)
    {
        return new OpenIdConnectAuthenticationOptions
        {
            // For each policy, give OWIN the policy-specific metadata address, and
            // set the authentication type to the id of the policy
            MetadataAddress = String.Format(aadInstance, tenant, policy),
            AuthenticationType = policy,

            // These are standard OpenID Connect parameters, with values pulled from web.config
            ClientId = clientId,
            RedirectUri = redirectUri,
            PostLogoutRedirectUri = redirectUri,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = AuthenticationFailed,
            },
            Scope = "openid profile offline_access",
            ResponseType = "id_token",

            // This piece is optional - it is used for displaying the user's name in the navigation bar.
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name",
                SaveSigninToken = true,
            },
        };
    }
在设置范围的地方,我尝试使用中的一个范围,以便以后访问该图。这给了我一个无效的请求错误。

不幸的是,Microsoft Graph不支持AAD B2C发行的令牌。随着时间的推移,这是我们需要解决的问题。同时,您需要从常规AAD STS(从v1或v2端点)获取令牌。请看

希望这能有所帮助,

您能否澄清Microsoft公共文档中明确指出B2C代币不能与Microsoft Graph一起使用的内容?