我正在try 使用Microsoft Entra ID进行身份验证和Microsoft Graph API来访问页面,使用带有PKCE的授权码流进行应用程序注册,并锁定Entra ID中特定安全组的某些页面.我使用Visual Studio创建Blazor项目,并使用"Connected Services"添加Microsoft Identity Platform以在我的租户上创建应用程序注册.这运行得很好,我能够通过使用我的Entra ID帐户进行身份验证来访问我的页面.然而,我在Program.cs中添加了一些额外的行,以便能够使用Microfoft Graph添加授权和判断用户组成员身份,这就是一切都出错的时候.我可以使用Entra ID进行身份验证,并且可以正常查看我的页面,直到我在"AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))".后面添加了这3行然后它就给了我那个错误.
这不起作用:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { "User.Read.All", "Group.Read.All" }) /*new string[] { "User.Read.All", "Group.Read.All" }*/
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
.AddInMemoryTokenCaches();
这是可行的:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
我还有一个Secrets.json连接服务,它只有以下json内容:
"AzureAD:ClientSecret": "xxx-My Secret-xxx" //Not my actual secret, obviously
And this is my global "appsettings.json":
There is also another "appsettings.json" under "wwwroot" like this:
however the content in the "appsettings.json" under "wwwroot" is like this:
同样,当我不包括后面的3行时
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd))
- 它工作得很好.我可以用我的Entra ID帐户登录,然后使用页面.然而,在其上方添加这三行不再起作用.我需要能够做到这一点,以便在网络应用程序中的某些页面,只有特定的安全组成员与入口ID可以访问它们.
Here is how the app registration is set up:
我怎么才能解决这个问题?我试着将Secrets.json中的ClientSecret值设置为空字符串,但是它抱怨我需要提供Secret.当我不这样做的时候,它会抱怨我应该这样做.
Extra: It says: 0 web, 6 spa, 0 public
非常困惑.帮助?
Program.cs:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { "User.Read.All", "Group.Read.All" }) /*new string[] { "User.Read.All", "Group.Read.All" }*/
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
.AddInMemoryTokenCaches();
builder.Services.AddControllersWithViews()
.AddMicrosoftIdentityUI();
builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy
options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorComponents()
.AddInteractiveServerComponents();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error", createScopeForErrors: true);
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseAntiforgery();
app.MapRazorComponents<App>()
.AddInteractiveServerRenderMode();
app.Run();