CODEWITHSUNDEEP
asp.net-mvcazureasp.net-core-2.0
Dante R.
Dante R.

Reputation: 932

Get Azure AD token on behalf of user - NetCore2

I'm trying to get the Azure AD token on behalf of user so i can access some resources through Azure AD App ( the app connects to SharePoint Online API).

My problem is getting the token on behalf of user. I added Azure AD app with permisisons as the Auth method in my app (auto added using Visual Studio 2017). Is there any way to get the token on behalf of user using the built-in authentication? (since it already redirects the user to sign in if he isnt already).

I've tried something like this, but i assume this token is for the app, not on behalf of the user (and gives 401 if i try to access SharePoint).

string clientId = 'xxxxxxxx';
string clientSecret = 'xxxxxxxxx'
var credential = new ClientCredential(clientId, clientSecret);

AuthenticationResult result = await authContext.AcquireTokenAsync("https://MYSITE.onmicrosoft.com/APPID", credential);

Upvotes: 1

Views: 3024

Answers (2)

Nan Yu
Nan Yu

Reputation: 27588

Is there any way to get the token on behalf of user using the built-in authentication? (since it already redirects the user to sign in if he isnt already).

Yes , after user is authenticated, you should acquire an access token for accessing SharePoint Online API/ Microsoft Graph api .

You can use the OpenID Connect middleware and the Active Directory Authentication Library (ADAL.NET) to obtain a JWT bearer token for the signed-in user using the OAuth 2.0 protocol:

// Because we signed-in already in the WebApp, the userObjectId is know
string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;

// Using ADAL.Net, get a bearer token to access the TodoListService
AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
result = await authContext.AcquireTokenSilentAsync(AzureAdOptions.Settings.TodoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

You can refer to the code sample : Calling a web API in an ASP.NET Core web application using Azure AD . Please replace the resource to SharePoint Online API/ Microsoft Graph api to meet your requirement .

I've tried something like this, but i assume this token is for the app, not on behalf of the user (and gives 401 if i try to access SharePoint).

Yes , your codes are using Client credentials grant flow which use app's own credentials instead of impersonating a user, to authenticate when calling another web service.

Upvotes: 2

Tom Sun
Tom Sun

Reputation: 24569

I'm trying to get the Azure AD token on behalf of user so i can access some resources through Azure AD App ( the app connects to SharePoint Online API).

If we want to access the sharepoint, we need to create an app in Azure AD that has permissions to access the API. And don't forget to grant premissions.

The Microsoft Graph enables developers to access data from multiple Microsoft Cloud services including:

  • Azure AD (for users and groups)
  • Office 365
  • SharePoint Online
  • Exchange Online
  • OneDrive for Business
  • OneNote
  • Planner
  • Excel
  • OneDrive Consumer
  • Outlook.com

enter image description here

Another thing is that the resource should be https://graph.microsoft.com not your application.

The following is the demo code

 private static async Task<string> GetAppTokenAsync(string tenantId, string clientId, string username,string password)
 {  
    var graphResource = "https://graph.microsoft.com";
     string aadInstance = "https://login.microsoftonline.com/" + tenantId + "/oauth2/token";
     //Instantiate an AuthenticationContext for my directory (see authString above).
     AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance, false);
     // Create a ClientCredential that will be used for authentication.
     //This is where the Client ID and Key / Secret from the Azure Management Portal is used.
     UserPasswordCredential credential = new UserPasswordCredential(username, password); //username is email format
     // Acquire an access token from Azure AD to access the Azure Microsoft Graph(the resource)
     //  using the Client ID and Key / Secret as credentials.
     AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(graphResource, clientId, credential);
     // Return the access token.
     return authenticationResult.AccessToken;

 }

Upvotes: 1

Related Questions