如何在 SPA 应用程序中从 Web API 访问 Graph API [英] How to access Graph API from Web API in SPA application

问题描述

我有一个与 WebAPI 对话的 Angular 应用程序，并且用户通过 Azure Active Directory 进行身份验证

I have an Angular application that talks to the WebAPI and the users are authenticated against Azure Active Directory

我按照这里的示例 https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi 并且能够针对 AD 对用户进行身份验证并将其传递给 Web API.

I followed the sample here https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi and was able to authenticate user against AD and pass that along to the Web API.

但是我想在 Web API 中访问 Graph API 并获取当前用户配置文件信息.如何设置?

However I want to access the Graph API in the Web API and get the current user profile information. How can I set it up?

已更新以提供有关设置的更多背景信息:

我有一个托管 html 和 javascript 文件的网站 (site.domain1.com)，它制作了一个 SPA 应用程序.我在 api.domain2.com 上托管了 Web API.身份验证针对 Azure AD，使用带有 ADAL.js 和 angular-adal 的 OAuth 隐式流.我想在 SPA 中进行身份验证以获取 API 的 accessToken.我希望在 API 中作为查询 Graph API 的请求的一部分，以获取有关当前用户登录的更多信息.

I have a web site (site.domain1.com) that hosts html and javascript files which makes a SPA application. I have Web API hosted on api.domain2.com. The authentication is against Azure AD using OAuth implicit flow with ADAL.js and angular-adal. I want to authenticate in SPA to get the accessToken for the API. And I want in the API as the part of the request to query Graph API to get more information about current user logged in.

我能够获取 API 的 accessToken 并且它目前会生成 Claims Principal.问题是用我在 Web API 中的当前身份查询 Graph API.

I'm able to get the accessToken for the API and it produces the Claims Principal currently. The problem is to query the Graph API with the current identity I have in the Web API.

更新:

我不想将管理员权限授予 Web API，但我想将用户同意仅转发给浏览器的读取用户配置文件"到网站和 Web API.

I don't want to give Admin Privileges to the Web API but I rather want to forward the user consent for just the 'Read user profile" from browser to the web site and to the web api.

我对位于此处的示例使用了类似的方法 https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof

I used similar approach to On Behalf Of sample located here https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof

它适用于我的测试 AD 并且不适用于生产 AD 的问题.说用户需要在使用 Graph Api 之前集中应用程序.(对于生产 AD，我只有用户可以添加用户权限，但不能添加应用程序权限.我的猜测是该方案工作我需要 AD 的全局管理员首先集中).最终，我最终将用于网站和 Web API 的 Azure AD 应用程序合并在一起，并且它使用了与 Bootstrap Tokens 相同的 On Behalf Of 方法.但我想知道如何让它与 2 个应用程序一起正常工作.

The problem that it worked for my test AD and didn't work for production AD. Saying that user needs to concent the App before using the Graph Api.(For prodution AD I only had user could add user privileges but not the application privileges. My guess is for that scheme to work I needed Global Admin of the AD to concent first). Eventually I ended up merging Azure AD applications for Web Site and Web API together and it worked with the same On Behalf Of approach with Bootstrap Tokens. But I want to know how to make it work properly with 2 Applications.

推荐答案

请看样例:https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web.示例中有一些访问 Graph API 和获取用户配置文件的代码:

Please see the sample: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web. There are some code to access Graph API and get user profile in the sample:

ClientCredential credential = new ClientCredential(clientId, appKey);
AuthenticationResult result = authContext.AcquireTokenSilent(graphResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

// Call the Graph API manually and retrieve the user's profile.
string requestUrl = String.Format(CultureInfo.InvariantCulture, graphUserUrl, HttpUtility.UrlEncode(tenantId));
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);

// Return the user's profile in the view.
if (response.IsSuccessStatusCode) {
    string responseString = await response.Content.ReadAsStringAsync();
    profile = JsonConvert.DeserializeObject<UserProfile>(responseString);
}

您可以从此处查看更多信息:https://azure.microsoft.com/en-us/documentation/articles/active-directory-code-samples/#calling-azure-ad-graph-api

You could see more information from here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-code-samples/#calling-azure-ad-graph-api

这篇关于如何在 SPA 应用程序中从 Web API 访问 Graph API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！