c# - Microsoft Graph API 测试 - 代表用户获取访问权限

Question

我有使用 Graph API (.Net Core 3.1) 为用户创建扩展的代码。我有这个代码的测试项目。但我需要以用户身份进行身份验证才能创建和使用 GraphServiceClient(该用户具有全局管理员角色)。

目标是拥有一个工作代码，为 User 创建 schemaExtension。

现在，要创建扩展，客户端必须具有已授予门户中已注册应用程序的委派权限 Directory.AccessAsUser.All。但由于这是一个委托(delegate)权限，我需要以用户身份进行身份验证(在测试代码中)。所以我的选择是身份验证提供者:

• 授权码提供商
• 代表提供者
• 互动提供者

对于授权代码提供者:

            List<string> scopes = new List<string> { "Directory.AccessAsUser.All" };

            IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create(_appClientId.ToString())
                .WithRedirectUri(_redirectUri)
                .WithClientSecret(_appSecret) // or .WithCertificate(certificate)
                .Build();

            AuthorizationCodeProvider authProvider = new AuthorizationCodeProvider(confidentialClientApplication, scopes);
            _graphServiceClient = new GraphServiceClient(authProvider);

我得到一个异常(exception):

Microsoft.Graph.Auth.AuthenticationException : Code: authenticationChallengeRequired

对于代表提供商:

            IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create(_appClientId.ToString())
                .WithRedirectUri(_redirectUri)
                .WithClientSecret(_appSecret)
                .Build();

            OnBehalfOfProvider authProvider = new OnBehalfOfProvider(confidentialClientApplication, scopes);

            _graphServiceClient = new GraphServiceClient(authProvider);

我明白了

NullReferenceException

当我尝试实际创建模式时在这一行上:

SchemaExtension extension = await _graphServiceClient .SchemaExtensions.Request().AddAsync(schemaExtension);

对于交互式提供者:

IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
            .Create(clientId)
            .Build();

InteractiveAuthenticationProvider authProvider = new InteractiveAuthenticationProvider(publicClientApplication, scopes);

我得到:

Microsoft.Identity.Client.MsalClientException : Only loopback redirect uri is supported, but urn:ietf:wg:oauth:2.0:oob was found. Configure http://localhost or http://localhost:port both during app registration and when you create the PublicClientApplication object.

最后一个我完全不明白。那么我怎样才能让这个委托(delegate)认证工作呢？

加法

这是创建扩展的代码，但它不依赖于授权:

  SchemaExtension schemaExtension = new SchemaExtension
  {
    Id = schemaName.Trim(),
    // Owner = _appClientId.ToString(),    
    Description = string.IsNullOrWhiteSpace(schemaDesc) ? string.Empty : schemaDesc.Trim(),
    TargetTypes = new List<string>
    {
      "User"
    },
    Properties = new List<ExtensionSchemaProperty>
    {
      new ExtensionSchemaProperty
      {
        Name = "isGlobalAdmin",
        Type = "Boolean"
      },
      new ExtensionSchemaProperty
      {
        Name = "isOrganizationAdmin",
        Type = "Boolean"
      }
    }
  };

  SchemaExtension extension = await GraphClient.SchemaExtensions.Request().AddAsync(schemaExtension); // GraphClient here === _graphServiceClient in the code above

Answer 1

根据我的研究，Microsoft Graph 的不同提供程序使用不同的协议(protocol)，适用于不同的环境。更多详情请引用document

对于授权代码提供者:

它使用 OAuth 2.0 authorization code flow .一般情况下，我们都是针对web app访问web api的情况使用的。更多详情请引用doucment

对于交互式提供者

它使用 OAuth 2.0 authorization code flow .通常，我们将它用于桌面应用程序(例如 WPF)。此外，请注意，当我们将提供程序与 MSAL.NET 一起使用时，we must register "http://localhost" as a Public client (mobile & desktop) redirect URI for your AD application .更多详情请引用document

---

更新

如果我们想使用Interactive Provider来调用Microsoft Graph，请引用以下步骤

1. 注册 Azure AD 应用程序

2. 配置权限

3. 代码

 static async Task Main(string[] args)
        {

            var clientId = "476944ed-e57c-4b2c-b18d-93b5dd5f1bca";
            string[] scopes = { "Directory.AccessAsUser.All" };
            #please provide the redirect url http://localhost when you create the client
            IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
            .Create(clientId)
            .WithRedirectUri("http://localhost") 
            .Build();

            InteractiveAuthenticationProvider authProvider = new InteractiveAuthenticationProvider(publicClientApplication, scopes);

            var graphClient = new GraphServiceClient(authProvider);
            var schemaExtension = new SchemaExtension
            {
                Id = "courses",
                Description = "Graph Learn training courses extensions",
                TargetTypes = new List<string>()
                    {
                        "Group"
                    },
                Properties = new List<ExtensionSchemaProperty>()
                    {
                        new ExtensionSchemaProperty
                        {
                            Name = "courseId",
                            Type = "Integer"
                        },
                        new ExtensionSchemaProperty
                        {
                            Name = "courseName",
                            Type = "String"
                        },
                        new ExtensionSchemaProperty
                        {
                            Name = "courseType",
                            Type = "String"
                        }
                    }
            };

            var result = await graphClient.SchemaExtensions.Request().AddAsync(schemaExtension);
            foreach (var type in result.TargetTypes) {
                Console.WriteLine(type);

            }