使用REST API的Dynamics CRM和Azure的AD 401-未经授权认证 [英] 401- Unauthorized authentication using REST API Dynamics CRM with Azure AD
问题描述
我试图访问与Azure的AD OAuth的认证2一Dynamics CRM Online中REST API。为了做到这一点我遵循下列步骤操作:
- 我已经登记在Azure中
Web应用程序和/或Web API
- 配置权限,以动态CRM具有委托权限访问CRM在线为组织用户
- 而且创造了1年期满密钥,并保持生成的客户端ID。
在Azure上进行配置的Web应用程序后,我已经创建了一个使用ADAL做一个简单的要求,在这种情况下获取帐户列表.NET / C#控制台应用程序:
I'm trying to access a Dynamics CRM Online REST API with Azure AD oAuth 2 Authentication. In order to do so I followed these steps:
- I've registered a web application and/or web api in Azure
- Configured the permissions to Dynamics CRM to have Delegated permissions "Access CRM Online as organization user"
- And created a Key with a 1 year expiration and kept the Client ID generated.
After the web app was configured on Azure I have created a Console application in .NET/C# that uses ADAL to make a simple request, in this case to retrieve a list of accounts:
class Program
{
private static string ApiBaseUrl = "https://xxxxx.api.crm4.dynamics.com/";
private static string ApiUrl = "https://xxxxx.api.crm4.dynamics.com/api/data/v8.1/";
private static string ClientId = "2a5dcdaf-2036-4391-a3e5-9d0852ffe3f2";
private static string AppKey = "symCaAYpYqhiMK2Gh+E1LUlfxbMy5X1sJ0/ugzM+ur0=";
static void Main(string[] args)
{
AuthenticationParameters ap = AuthenticationParameters.CreateFromResourceUrlAsync(new Uri(ApiUrl)).Result;
var clientCredential = new ClientCredential(ClientId, AppKey);
var authenticationContext = new AuthenticationContext(ap.Authority);
var authenticationResult = authenticationContext.AcquireToken(ApiBaseUrl, clientCredential);
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authenticationResult.AccessToken);
var result = httpClient.GetAsync(Path.Combine(ApiUrl, "accounts")).Result;
}
}
我检索一个访问令牌成功,但是当我尝试做一个HTT prequest到CRM我总是得到的 401 - Unauthorized状态code 。我缺少什么?
推荐答案
我不认为你就可以得到解决提供用户凭据至少有某种集成账户中。你能避免一个更传统的弹出/重定向具有以下OAUTH流量:
I don't think you'll be able to get around providing user credentials to at least some kind of "integration account". You can avoid a more traditional popup/redirect OAUTH flow with the following:
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.IO;
using System.Net;
namespace ConsoleApplication2
{
class Program
{
private static string API_BASE_URL = "https://<CRM DOMAIN>/";
private static string API_URL = "https://<CRM DOMAIN>/api/data/v8.1/";
private static string CLIENT_ID = "<CLIENT ID>";
static void Main(string[] args)
{
var userCredential = new UserCredential("<USERNAME>", "<PASSWORD>");
var authContext = new AuthenticationContext("https://login.windows.net/common", false);
var result = authContext.AcquireToken(API_BASE_URL, CLIENT_ID, userCredential);
var httpClient = HttpWebRequest.CreateHttp(Path.Combine(API_URL, "accounts"));
httpClient.Headers.Add(HttpRequestHeader.Authorization, "Bearer:" + result.AccessToken);
using (var sr = new StreamReader(httpClient.GetResponse().GetResponseStream()))
{
Console.WriteLine(sr.ReadToEnd());
}
Console.ReadLine();
}
}
}
请注意:我使用ADAL的旧版本( 2.19.208020213 ),因为它出现在密码
参数已被取出 UserCredential
构造。
Note: I'm using an older version of ADAL (2.19.208020213) as it appears the password
parameter has been taken out of the UserCredential
constructor.
这篇关于使用REST API的Dynamics CRM和Azure的AD 401-未经授权认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!