EDIT 10/24 我认为这很可能是用户错误 - 在深入研究这个问题之前,请参阅下面的答案以获得补救措施
TL;DR: 对于我的OAuth 2.0代码流程...
为什么我的TokenCredentials无法与我的AutoRest客户端一起使用?我没有应用于请求/没有授权标头集的承载令牌
I know my pipeline works already..
使用this azure sample中的代码,这不是一个AutoRest客户端,我可以成功获取我的 access_token
并可以从我受保护的Web API项目中获取JSON ..所以我排除了所有必备的东西..我知道我的管道工作
My AutoRest setup..
1.)从GitHub this AutoRest repo v1.1.0下载
2.)将我的招摇JSON下载到磁盘,保存为 swagger.json
3.)运行此命令行以生成C#文件:
autorest --input-file=swagger.json --csharp --output-folder=MyCorp_ApiClient_Tsl --namespace='MyCorp.ApiClient' --add-credentials
4.)将生成的类复制到我的.NET 4.6.2网站中
5.)这些是我的NuGets:
- Microsoft.Rest.ClientRuntime version="2.3.8"
- Microsoft.Rest.ClientRuntime.Azure.Authentication version="2.3.1"
- Microsoft.IdentityModel.Clients.ActiveDirectory version="2.28.3"
Here's what's not working:
AdalTokenHelper tokenHelper = new AdalTokenHelper();//helper code further below
string token = await tokenHelper.GetTokenString();
var svcClientCreds = new TokenCredentials(token, "Bearer");
client = new MyCorp.ApiClient(new Uri(apiRsrcUrl), svcClientCreds,
new DelegatingHandler[] { new MyAzureTracingHandler() });
//make call to OData controller...
MyCorp.ApiClient.Models.ODataResponseListStatus statusList = await client.Status.GetStatusAsync(expand: "StatusType",cancellationToken: defaultCancelThreadToken);
return View(statusList.Value);
我 TokenCredentials
,但无论如何,我可以将我的断点放在 MyAzureTracingHandler
中并看到请求没有应用授权 Headers ..所以我得到了预期的 401 Unauthorized
响应 .
如果我修改 MyAzureTracingHandler
以接受我的 TokenCredentials
实例,那么我可以强制请求应用相应的承载令牌 .
This works, but, feels hack-ish:
我从此更改了原始客户端实例化代码段:
client = new ApiClient(new Uri(apiRsrcUrl), svcClientCreds,
new DelegatingHandler[] { new MyAzureTracingHandler() });
对此:
client = new ApiClient(new Uri(apiRsrcUrl), svcClientCreds,
new DelegatingHandler[] { new MyAzureTracingHandler(svcClientCreds) });
在 MyAzureTracingHander
的 SendAsync
方法中,我这样做:
await svcClientCreds.ProcessHttpRequestAsync(request, cancellationToken);
难道我做错了什么?在实例化我的客户端时,我认为我不应该两次传递 ServiceClientCredentials
.
Appendix A - Getting access token via ADAL:
private string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
private string tslResourceID = ConfigurationManager.AppSettings["ross:TslWebApiResourceId"];
private static string loginRedirectUri = ConfigurationManager.AppSettings["ross:LoginRedirectUri"];
private AuthenticationContext authContext;
private AuthenticationResult authenticationResult;
public async Task<string> GetTokenString()
{
string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
try
{
// get a token for the Graph without triggering any user interaction (from the cache, via multi-resource refresh token, etc)
ClientCredential clientcred = new ClientCredential(clientId, appKey);
// initialize AuthenticationContext with the token cache of the currently signed in user, as kept in the app's database
authContext = new AuthenticationContext(Startup.Authority, new ADALTokenCache(userObjectID));
UserIdentifier userIdentifier = new UserIdentifier(userObjectID, UserIdentifierType.UniqueId);
authenticationResult = await authContext.AcquireTokenSilentAsync(tslResourceID, clientcred, userIdentifier);
}
catch(AdalException ex)
{
throw ex;
}
return authenticationResult.AccessToken;
}
1 回答
虽然我相信我用
--add-credentials
运行了autorest
命令,但我可能使用了较旧的语法...--AddCredentials true
我也没有按照文档推荐的那样运行
autorest --reset
其中一个是罪魁祸首,因为现在我的1.1.0 autorest安装正确地生成了一切 .