如何在受 WAAD 保护的 web api 2 中获取电子邮件 [英] How to fetch email in web api 2 which is secured by WAAD

问题描述

我正在使用由UseOpenIdConnectAuthentication"保护的 MVC 5 客户端并在 Claims 对象中获取所有用户详细信息，该客户端通过Bearer"身份验证令牌调用 WAAD 安全 Web Api.

I am using MVC 5 client which is secured by "UseOpenIdConnectAuthentication" and getting all user details in Claims object, this client is calling WAAD secured Web Api by "Bearer" authentication token.

我需要在 web api 中获取用户名或电子邮件.我尝试了不同的选择，但没有任何效果.

I need to fetch username or email in the web api. I tried different options but nothing worked.

我在 Identity.Name 中得到 null，我得到的其他属性如 nameidentifier、objectidentifier、tenanted 等

I am getting null in Identity.Name, other properties I am getting like nameidentifier, objectidentifier, tenanted etc.

请指教.

谢谢

下面是我在 Web 客户端中用于访问令牌的代码.

Below code I am using for access token in Web Client.

string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
            string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
            ClientCredential clientcred = new ClientCredential(Startup.clientId, Startup.appKey);
            AuthenticationContext authenticationContext = new AuthenticationContext(Startup.aadInstance + Startup.tenantId, new ADALTokenCache(signedInUserID));
            AuthenticationResult authenticationResult = authenticationContext.AcquireToken(apiResourceId, clientcred);

            return authenticationResult.AccessToken;

启动代码

app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = Authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,
                    UseTokenLifetime = false,
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                        AuthorizationCodeReceived = (context) =>
                        {
                            var code = context.Code;
                            ClientCredential credential = new ClientCredential(clientId, appKey);
                            string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                            AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
                            AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                            code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
                            return Task.FromResult(0);

                        }

以下是代币详情:

推荐答案

您可以通过以下方式获取当前用户的upn:

You can get the upn of current user by :

var upn = ClaimsPrincipal.Current.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn").Value;

其他方式是使用 Microsoft Graph api 获取用户的基本信息，请参考 代表场景.OAuth 2.0 代表流程服务于以下用例:应用程序调用服务/网络 API，后者又需要调用另一个服务/网络 API.请参考 协议说明和代码示例.

Other way is getting user's basic information using Microsoft Graph api , please refer to On-Behalf-Of scenario .The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. Please refer to protocol explanation and code sample .

更新:

查看您的代码，您正在使用 客户端凭据流 为您的 web api 获取令牌:

Looking into your codes , you are using client credential flow to acquire token for your web api :

AuthenticationResult authenticationResult = authenticationContext.AcquireToken(apiResourceId, clientcred);

OAuth 2.0 客户端凭据授予流程允许 Web 服务(机密客户端)在调用另一个 Web 服务时使用其自己的凭据而不是模拟用户进行身份验证.这就是为什么您无法获取与用户关联的 upn 信息的原因.

The OAuth 2.0 Client Credentials Grant Flow permits a web service (confidential client) to use its own credentials instead of impersonating a user, to authenticate when calling another web service. That's why you can't get upn information which associated with a user .

您可以使用 带有用户身份的授权码流程，请参考代码示例 :

You can use authorization code flow with user's identity , Please refer to code sample :

string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID));
ClientCredential credential = new ClientCredential(clientId, appKey);
result = await authContext.AcquireTokenSilentAsync(todoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

这篇关于如何在受 WAAD 保护的 web api 2 中获取电子邮件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！