问题描述
我有一个与WebAPI通讯的Angular应用程序,并且用户已针对Azure Active Directory进行了身份验证
I have an Angular application that talks to the WebAPI and the users are authenticated against Azure Active Directory
我在这里遵循了示例 https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi 并能够根据AD对用户进行身份验证并将其传递到Web API.
I followed the sample here https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi and was able to authenticate user against AD and pass that along to the Web API.
但是,我想访问Web API中的Graph API并获取当前的用户配置文件信息.我该如何设置?
However I want to access the Graph API in the Web API and get the current user profile information. How can I set it up?
已更新以提供有关设置的更多上下文:
我有一个网站(site.domain1.com),该网站托管构成SPA应用程序的html和javascript文件.我在api.domain2.com上托管了Web API.使用带有ADAL.js和angular-adal的OAuth隐式流针对Azure AD进行身份验证.我想在SPA中进行身份验证以获得API的accessToken.我想在API中查询Graph API,以获取有关当前登录用户的更多信息.
I have a web site (site.domain1.com) that hosts html and javascript files which makes a SPA application. I have Web API hosted on api.domain2.com. The authentication is against Azure AD using OAuth implicit flow with ADAL.js and angular-adal. I want to authenticate in SPA to get the accessToken for the API. And I want in the API as the part of the request to query Graph API to get more information about current user logged in.
我能够获取API的accessToken,并且它当前会生成Claims Principal.问题是使用Web API中的当前身份查询Graph API.
I'm able to get the accessToken for the API and it produces the Claims Principal currently. The problem is to query the Graph API with the current identity I have in the Web API.
更新:
我不想将管理权限授予Web API,而是希望将用户对读取用户个人资料"的同意从浏览器转发到网站和Web api.
I don't want to give Admin Privileges to the Web API but I rather want to forward the user consent for just the 'Read user profile" from browser to the web site and to the web api.
我使用了与代表样本"类似的方法,位于此处 https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof
I used similar approach to On Behalf Of sample located here https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof
该问题适用于我的测试广告,不适用于生产广告.说用户需要在使用Graph Api之前对App进行集中操作.(对于AD产品,我只有用户可以添加用户权限,但不能添加应用程序权限.我的猜测是该方案有效,我需要首先对AD进行全局管理).最终,我最终将用于Web站点和Web API的Azure AD应用程序合并在一起,并且它与具有Bootstrap令牌的相同代表方法一起使用.但是我想知道如何使其在2个应用程序中正常工作.
The problem that it worked for my test AD and didn't work for production AD. Saying that user needs to concent the App before using the Graph Api.(For prodution AD I only had user could add user privileges but not the application privileges. My guess is for that scheme to work I needed Global Admin of the AD to concent first). Eventually I ended up merging Azure AD applications for Web Site and Web API together and it worked with the same On Behalf Of approach with Bootstrap Tokens. But I want to know how to make it work properly with 2 Applications.
推荐答案
所以我知道这是一个旧的,但是我遇到了同样的问题/设置,所以我碰到了它.进行了一些挖掘,但我认为此链接可能会帮助那些遇到相同问题的人.
So I know this is an old one, but I just ran across it because I have the same issue / setup. It took some digging but I think this link might help any of those out there with the same issue.
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-onbehalfof/
这同时使用WPF客户端和具有单独API的SPA,并从Web API(而不是spa或客户端)调用Graph API.
This uses both a WPF client and a SPA with a separate API and calls to the Graph API from the web API not the spa or client.
祝你好运.
这篇关于如何从SPA应用程序中的Web API访问Graph API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!