我正在构建一个应用程序,允许用户操作Azure资源和Azure存储,因此我需要访问多个受众,但是,在Azure中不可能有一个令牌和多个受众。所以我使用这个教程
https://learn.microsoft.com/bs-latn-ba/azure/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources
我的代码看起来像:
IPublicClientApplication client = PublicClientApplicationBuilder.Create(clientId)
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
.WithDefaultRedirectUri()
// .WithRedirectUri($"msal{clientId}://auth")
.Build();
var accounts = client.GetAccountsAsync().Result;
string[] scopes = { "https://management.azure.com/user_impersonation" };
string[] scopestorage = { "https://storage.azure.com/user_impersonation" };
var result = client.AcquireTokenInteractive(scopes)
.WithAccount(accounts.FirstOrDefault())
.WithExtraScopesToConsent(scopestorage)
.ExecuteAsync().Result;
var result2= client.AcquireTokenSilent(scopestorage, accounts.FirstOrDefault()).ExecuteAsync();
但我在执行AcquireTokenInteractive方法时遇到异常
Microsoft.Identity.Client.MsalUiRequiredException: 'No account or login hint was passed to the AcquireTokenSilent call.'
此外,当我在本地查看我的变量"accounts"时,我可以看到Count=0,其中什么都没有。
任何指向解决方案的指针都将不胜感激。
问候
Vincent
您需要对代码进行一些更改。以下是工作样品供您参考:
string[] scopes = { "https://management.azure.com/user_impersonation" };
string[] scopestorage = { "https://storage.azure.com/user_impersonation" };
IPublicClientApplication client = PublicClientApplicationBuilder
.Create("cbc32712-ac27-4532-802d-303998a6e712")
.WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
.Build();
var result = client.AcquireTokenInteractive(scopes)
.ExecuteAsync().Result;
var accounts = client.GetAccountsAsync().Result;
var result2 = client.AcquireTokenSilent(scopestorage, accounts.FirstOrDefault()).ExecuteAsync().Result;
注意:
1.由于您将使用AcquireTokenSilent
方法获得存储资源的访问令牌,请确保您已授予应用程序访问此资源的用户/管理员同意。
2.对于不同的资源端点,不能使用WithExtraScopesToConsent
方法。