我正在尝试将 Microsoft Graph 设置配置为从用户配置文件中读取,但没有取得太大成功。我正在使用 Blazor Server .NET 7 应用程序。
我在 Azure 门户中注册了一个应用程序。
在我的应用程序设置中,我有:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mydomain",
"TenantId": "mytenantId",
"ClientId": "myClientId",
"CallbackPath": "/signin-oidc",
"ClientSecret": "mySecret"
},
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/beta",
"Scopes": "user.read"
},
在 Program.CS 中,我有以下内容:
string[] initialScopes = builder.Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
//builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
// .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = options.DefaultPolicy;
});
// Add services to the container.
builder.Services.AddRazorPages().AddMicrosoftIdentityUI();
builder.Services.AddServerSideBlazor().AddMicrosoftIdentityConsentHandler();
当我在本地运行应用程序并尝试登录时,出现错误:
MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.
我有点困惑,因为根据 Microsoft 的文档,我需要客户端 key 才能使用 GraphApi。
此外,如果我删除:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
来自 Program.cs 并只需使用:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
登录/退出工作正常。
对于我的代码或 Azure 门户中缺少的内容有什么帮助吗?
最佳答案
如果您使用公共(public)客户端应用程序并传递 client_secret 来生成访问 token ,通常会出现错误“AADSTS700025:客户端是公共(public)的,因此不应显示 'client_assertion' 和 'client_secret'”。
InvalidClientPublicClientWithCredential - 客户端是公开的,因此不应显示“client_assertion”和“client_secret”。( https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes )
删除 TokenAcquisition 代码后,代码会正常工作
请参阅下面的类似问题。
关于c# - Microsoft Graph API 和 Azure AD SSO 的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/76886078/