在文件上使用cer或pfx从Microsoft Graph端点获取身份验证令牌

编程问答 2023-06-14

问题描述

我正在尝试使用我使用自签名创建的cer / pfx证书从Graph Endpoint获取身份验证令牌。我已将证书放置在文件系统上。这是我正在使用的代码

    using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Security.Cryptography.X509Certificates;
using Microsoft.IdentityModel.Clients.ActiveDirectory;

namespace DAL_HTTP
{
    public class MSGraphAuth
    {
        public string _tenantId;
        public string _clientId;
        public string _certificateThumbprint;
        public string _debugCertificatePath;
        public string _debugCertificatePassword;

        public MSGraphAuth()
        {
            string TenantName = "testtenant.onmicrosoft.com";
            string TenantId = "<tenantid>";
            string ClientID = "<appid>";
            string AuthenticationContextURL = "https://login.microsoftonline.com/testtenant.onmicrosoft.com";
            string AcquiretokenURL = "https://graph.microsoft.com";
            string ClientKey = "*********";
            string certificateFilePath = @"D:\folder\test.onmicrosoft.com.pfx";
            string certificatePassword = "*******";

            _tenantId = TenantId;
            _clientId = ClientID;
            _certificateThumbprint = GetCertificateThumprint(certificateFilePath,certificatePassword);
            _debugCertificatePath = certificateFilePath;
            _debugCertificatePassword = certificatePassword;

        }

        public string GetCertificateThumprint(string certificateFilePath,string certPassword)
        {
            X509Certificate2 cert = new X509Certificate2(certificateFilePath,certPassword);

            return cert.Thumbprint;
        }

        public async Task<string> GetAccesstokenAsync(string url)
        {
            url = GetTenantUrl(url);

            var authContext = new AuthenticationContext($"https://login.microsoftonline.com/{_tenantId}/oauth2/token"); // you can also use the v2.0 endpoint URL

            return (await authContext.AcquiretokenAsync(url,GetCertificate(_clientId,_certificateThumbprint))).Accesstoken;
        }

        public static string GetTenantUrl(string url)
        {
            const string suffix = "sharepoint.com";
            var index = url.IndexOf(suffix,StringComparison.OrdinalIgnoreCase);
            return index != -1 ? url.Substring(0,index + suffix.Length) : url;
        }

        public ClientAssertionCertificate GetCertificate(string clientId,string thumbprint)
        {
            var certificate = GetCertificateFromDirectory(_debugCertificatePath,_debugCertificatePassword);
            return new ClientAssertionCertificate(clientId,certificate);
        }

        public static X509Certificate2 GetCertificateFromDirectory(string path,string password)
        {
            return new X509Certificate2(System.IO.Path.GetFullPath(path),password,X509KeyStorageFlags.DefaultKeySet);
        }

        private static X509Certificate2 GetCertificateFromStore(string thumbprint)
        {
            var store = new X509Store(StoreName.My,StoreLocation.CurrentUser);

            store.Open(OpenFlags.ReadOnly);

            var certificates = store.Certificates.Find(X509FindType.FindByThumbprint,thumbprint,false);

            store.Close();

            return certificates[0];
        }
    }
}

但是,我在此行出现错误

return (await authContext.AcquiretokenAsync(url,_certificateThumbprint))).Accesstoken;

错误消息显示为:

类型的未处理异常 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' 发生在mscorlib.dll

其他信息:AADSTS90002:找不到租户“令牌”。这个 如果租户没有活动订阅,则可能会发生。检查一下 确保您具有正确的租户ID。检查你的 订阅管理员

跟踪ID:c9d3eac6-77e0-4f56-8c96-ac924ff90700

相关ID:e90027e1-cbcb-4291-9630-984c5c23757d

时间戳:2020-08-14 17:11:34Z

我一直在关注这两篇文章,但仍然无法正常工作。

https://laurakokkarinen.com/authenticating-to-office-365-apis-with-a-certificate-step-by-step/comment-page-2/#comment-697

How to use Microsoft Graph API with Certificates (INTUNE)

我在做什么错?请帮忙。

解决方法

您似乎没有获得想要的令牌,请尝试将此官方sample与证书一起使用。

它使用客户端凭据流来获取访问令牌,该访问令牌可用于调用Microsoft Graph和访问组织数据。该示例同时使用证书和客户端机密,您可以只使用证书。

private static async Task RunAsync()
    {
        AuthenticationConfig config = AuthenticationConfig.ReadFromJsonFile("appsettings.json");

        // Even if this is a console application here,a daemon application is a confidential client application
        IConfidentialClientApplication app;

        X509Certificate2 certificate = ReadCertificate(config.CertificateName);
        app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
             .WithCertificate(certificate)
             .WithAuthority(new Uri(config.Authority))
             .Build();
        

        // With client credentials flows the scopes is ALWAYS of the shape "resource/.default",as the 
        // application permissions need to be set statically (in the portal or by PowerShell),and then granted by
        // a tenant administrator. 
        string[] scopes = new string[] { $"{config.ApiUrl}.default" }; 
        
        AuthenticationResult result = null;
        try
        {
            result = await app.AcquireTokenForClient(scopes)
                .ExecuteAsync();
            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("Token acquired");
            Console.ResetColor();
        }
        catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
        {
            // Invalid scope. The scope has to be of the form "https://resourceurl/.default"
            // Mitigation: change the scope to be as expected
            Console.ForegroundColor = ConsoleColor.Red;
            Console.WriteLine("Scope provided is not supported");
            Console.ResetColor();
        }

        if (result != null)
        {
            var httpClient = new HttpClient();
            var apiCaller = new ProtectedApiCallHelper(httpClient);
            await apiCaller.CallWebApiAndProcessResultASync($"{config.ApiUrl}v1.0/users",result.AccessToken,Display);
        }
    }
azureazurec#c#microsoft-graph-apimicrosoft-graph-sdksx509certificate2