asp.net-core - 缺少客户端密码或客户端证书

Question

MsalClientException:IDW10104:客户端密码和客户端证书都不能为 null 或空格，调用 Web API 时，Web 应用程序的配置中只能包含一个。例如，在 appsettings.json 文件中。

Microsoft.Identity.Web.MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(string clientSecret, IEnumerable<CertificateDescription> cert)
Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplicationAsync()
Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplicationAsync()
Microsoft.Identity.Web.TokenAcquisition.AddAccountToCacheFromAuthorizationCodeAsync(AuthorizationCodeReceivedContext context, IEnumerable<string> scopes)
Microsoft.Identity.Web.MicrosoftIdentityWebAppAuthenticationBuilder+<>c__DisplayClass11_1+<<WebAppCallsWebApiImplementation>b__1>d.MoveNext()
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RunAuthorizationCodeReceivedEventAsync(OpenIdConnectMessage authorizationResponse, ClaimsPrincipal user, AuthenticationProperties properties, JwtSecurityToken jwt)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

这发生在通过 Azure AD 成功登录后。我也传递了客户端 secret (通过用户 secret 和 appSettings)。对于源代码引用，我使用以下示例项目:

https://github.com/damienbod/AspNetCoreUsingGraphApi

Answer 1

如果想在web app中调用AzureAD转换的web api，请引用以下步骤

1. appsettings.json

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "[Client_id-of-web-app-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
    "TenantId": "common"

   // To call an API
   "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",

 },
 "MyApi": {
    "BaseUrl": "https://graph.microsoft.com/beta",
    "Scopes": "user.read"
    }
}

1. startup.cs

using Microsoft.Identity.Web;

public class Startup
{
  // ...
  public void ConfigureServices(IServiceCollection services)
  {
  // ...
  services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
          .AddMicrosoftIdentityWebApp(Configuration, "AzureAd")
            .EnableTokenAcquisitionToCallDownstreamApi(new string[]{"" })
               .AddDownstreamWebApi("MyApi", Configuration.GetSection("MyApi"))
            .AddInMemoryTokenCaches();
   // ...
  }
  // ...
}

1. 调用接口(interface)

[Authorize]
public class HomeController : Controller
{
 readonly ITokenAcquisition tokenAcquisition;

 public HomeController(ITokenAcquisition tokenAcquisition)
 {
  this.tokenAcquisition = tokenAcquisition;
 }

 [AuthorizeForScopes(Scopes = new[] { "user.read" })]
public async Task<IActionResult> Profile()
{
 // Acquire the access token.
 string[] scopes = new string[]{"user.read"};
 string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

 // Use the access token to call a protected web API.
 HttpClient client = new HttpClient();
 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
 string json = await client.GetStringAsync(url);
}

}

更多详情请引用here .