使用REST API的Dynamics CRM和Azure的AD 401-未经授权认证 [英] 401- Unauthorized authentication using REST API Dynamics CRM with Azure AD

问题描述

我试图访​​问与Azure的AD OAuth的认证2一Dynamics CRM Online中REST API。为了做到这一点我遵循下列步骤操作：


- 我已经登记在Azure中
Web应用程序和/或Web API
- 配置权限，以动态CRM具有委托权限访问CRM在线为组织用户

- 而且创造了1年期满密钥，并保持生成的客户端ID。



在Azure上进行配置的Web应用程序后，我已经创建了一个使用ADAL做一个简单的要求，在这种情况下获取帐户列表.NET / C＃控制台应用程序：

I'm trying to access a Dynamics CRM Online REST API with Azure AD oAuth 2 Authentication. In order to do so I followed these steps:

- I've registered a web application and/or web api in Azure
- Configured the permissions to Dynamics CRM to have Delegated permissions "Access CRM Online as organization user"
- And created a Key with a 1 year expiration and kept the Client ID generated.

After the web app was configured on Azure I have created a Console application in .NET/C# that uses ADAL to make a simple request, in this case to retrieve a list of accounts:

    class Program
{
    private static string ApiBaseUrl = "https://xxxxx.api.crm4.dynamics.com/";
    private static string ApiUrl = "https://xxxxx.api.crm4.dynamics.com/api/data/v8.1/";
    private static string ClientId = "2a5dcdaf-2036-4391-a3e5-9d0852ffe3f2";
    private static string AppKey = "symCaAYpYqhiMK2Gh+E1LUlfxbMy5X1sJ0/ugzM+ur0=";

    static void Main(string[] args)
    {
        AuthenticationParameters ap = AuthenticationParameters.CreateFromResourceUrlAsync(new Uri(ApiUrl)).Result;

        var clientCredential = new ClientCredential(ClientId, AppKey);

        var authenticationContext = new AuthenticationContext(ap.Authority);
        var authenticationResult = authenticationContext.AcquireToken(ApiBaseUrl, clientCredential);

        var httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authenticationResult.AccessToken);

        var result = httpClient.GetAsync(Path.Combine(ApiUrl, "accounts")).Result;         
    }
}

我检索一个访问令牌成功，但是当我尝试做一个HTT prequest到CRM我总是得到的 401 - Unauthorized状态code 。我缺少什么？

推荐答案

我不认为你就可以得到解决提供用户凭据至少有某种集成账户中。你能避免一个更传统的弹出/重定向具有以下OAUTH流量：

I don't think you'll be able to get around providing user credentials to at least some kind of "integration account". You can avoid a more traditional popup/redirect OAUTH flow with the following:

using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.IO;
using System.Net;

namespace ConsoleApplication2
{
    class Program
    {
        private static string API_BASE_URL = "https://<CRM DOMAIN>/";
        private static string API_URL = "https://<CRM DOMAIN>/api/data/v8.1/";
        private static string CLIENT_ID = "<CLIENT ID>";

        static void Main(string[] args)
        {
            var userCredential = new UserCredential("<USERNAME>", "<PASSWORD>");
            var authContext = new AuthenticationContext("https://login.windows.net/common", false);
            var result = authContext.AcquireToken(API_BASE_URL, CLIENT_ID, userCredential);

            var httpClient = HttpWebRequest.CreateHttp(Path.Combine(API_URL, "accounts"));
            httpClient.Headers.Add(HttpRequestHeader.Authorization, "Bearer:" + result.AccessToken);
            using (var sr = new StreamReader(httpClient.GetResponse().GetResponseStream()))
            {
                Console.WriteLine(sr.ReadToEnd());
            }

            Console.ReadLine();
        }
    }
}

请注意：我使用ADAL的旧版本（ 2.19.208020213 ），因为它出现在密码参数已被取出 UserCredential 构造。

Note: I'm using an older version of ADAL (2.19.208020213) as it appears the password parameter has been taken out of the UserCredential constructor.

这篇关于使用REST API的Dynamics CRM和Azure的AD 401-未经授权认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！