How to get the JWT (using OpenIdConnect) from HttpContext, and pass to Azure AD Graph API
Background
We developed an application in 2016 that authenticated using WS-Federation, to grab claims from the on-premises AD. The direction of the
-
Okay it took me a few days to work out (and some pointers from Juunas), but this is definitely doable with some slight modifications to the code here. The aforementioned being the OpenId guide from Microsoft.
I would definitely recommend reading up on your specific authentication scenario, and having a look at the relevant samples.
The above will get you in the door, but to get a JWT from the Graph API, (not to be confused with Microsoft Graph), you need to get an authentication code when you authenticate, and store it in a token cache.
You can get a usable token cache out of this sample from Microsoft (MIT License). Now, personally, I find those samples to be overly obfuscated with complicated use-cases, when really they should be outlining the basics, but that's just me. Nevertheless, these are enough to get you close.
Now for some code. Allow me to draw your attention to the 'ResponseType= CodeIdToken'.
public void ConfigureAuth(IAppBuilder app) { //Azure AD Configuration app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { //sets client ID, authority, and RedirectUri as obtained from web config ClientId = clientId, ClientSecret = appKey, Authority = authority, RedirectUri = redirectUrl, //page that users are redirected to on logout PostLogoutRedirectUri = redirectUrl, //scope - the claims that the app will make Scope = OpenIdConnectScope.OpenIdProfile, ResponseType = OpenIdConnectResponseType.CodeIdToken, //setup multi-tennant support here, or set ValidateIssuer = true to config for single tennancy TokenValidationParameters = new TokenValidationParameters() { ValidateIssuer = true, //SaveSigninToken = true }, Notifications = new OpenIdConnectAuthenticationNotifications { AuthenticationFailed = OnAuthenticationFailed, AuthorizationCodeReceived = OnAuthorizationCodeReceived, } } ); }When the above parameter is supplied, the following code will run when you authenticate:
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context) { var code = context.Code; ClientCredential cred = new ClientCredential(clientId, appKey); string userObjectId = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value; AuthenticationContext authContext = new AuthenticationContext(authority, new NaiveSessionCache(userObjectId)); // If you create the redirectUri this way, it will contain a trailing slash. // Make sure you've registered the same exact Uri in the Azure Portal (including the slash). Uri uri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)); AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, uri, cred, "https://graph.windows.net"); }This will supply your token cache with a code that you can pass to the Graph API. From here, we can attempt to authenticate with the Graph API.
string path = "https://graph.windows.net/me?api-version=1.6"; string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"]; string userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value; string resource = "https://graph.windows.net"; AuthenticationResult result = null; string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant); ClientCredential cc = new ClientCredential(ConfigurationManager.AppSettings["ClientId"], ConfigurationManager.AppSettings["ClientSecret"]); AuthenticationContext auth = new AuthenticationContext(authority, new NaiveSessionCache(userObjectId)); try { result = await auth.AcquireTokenSilentAsync(resource, ConfigurationManager.AppSettings["ClientId"], new UserIdentifier(userObjectId, UserIdentifierType.UniqueId)).ConfigureAwait(false); } catch (AdalSilentTokenAcquisitionException e) { result = await auth.AcquireTokenAsync(resource, cc, new UserAssertion(userObjectId)); }Once you have the authentication token, you can pass it to the Graph API via Http Request (this is the easy part).
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(path); request.Method = "GET"; request.Headers.Set(HttpRequestHeader.Authorization, "Bearer " + result.AccessToken); WebResponse response = request.GetResponse(); System.IO.Stream dataStream = response.GetResponseStream();From here, you have a datastream that you can pass into a stream reader, get the JSON out of, and do whatever you want with. In my case, I'm simply looking for user data that's in the directory, but is not contained in the default claims that come out of Azure AD Authentication. So in my case, the URL I'm calling is
"https://graph.windows.net/me?api-version=1.6"If you need to do a deeper dive on your directory, I'd recommend playing with the Graph Explorer. That will help you structure your API calls. Now again, I find the Microsoft documentation a little obtuse (go look at the Twilio API if you want to see something slick). But it's actually not that bad once you figure it out.
讨论(0)
加载中...
- 热议问题